homepage Welcome to WebmasterWorld Guest from 54.234.2.88
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PEAR error issues, please help
NeedExpertHelp




msg:4419775
 12:13 am on Feb 21, 2012 (gmt 0)

I've inherited a site that uses PEAR to handle all DB calls.

This is an example of how it handles a query:

$result = $conn->query($sql);
if(PEAR::isError($result))
{
die('<b>Error:</b>&nbsp;'.$result->getMessage().'
<br/><b>Debug Info</b>:&nbsp;'.$result->getDebugInfo());
}
$row = $result->fetchRow(DB_FETCHMODE_ASSOC);


This is exactly how it is on hundreds of pages of this site. The problem with this is that whenever there is any kind of DB error (e.g. a SQL syntax error), it is displaying the ENTIRE error and related query directly to the user because of the $result->getDebugInfo(), which is a big NO-NO for obvious security reasons.

Instead of displaying the error to my users, I want the site to simply e-mail me whenever there is a DB error, and to e-mail me the contents of $result->getDebugInfo() rather than displaying it to my users so I can be alerted to the problem and debug it while avoiding the security risk altogether.

Now, I thought this would be as simple as searching for the getDebugInfo() function in the PEAR library and changing it to do the above, but that did not work at all which is very puzzling. I found the function in only one location, which was the main PEAR.php class file and it looks like this:

function getDebugInfo()
{
return $this->getUserInfo();
}


No matter what changes I make to this function, they are NOT reflected when $result->getDebugInfo() is called in the script, which is incredibly puzzling and is making me pull my hair out. I've even tried commenting out the ENTIRE function and it STILL displays the error code to my users as if it were HAL and in complete control to do as it wishes while I'm his little minion. Talk about puzzling (I'm bald now)!

So how in the world do I get my site to stop revealing the PEAR error and SQL code to my users and to e-mail it to me instead?

 

enigma1




msg:4419932
 12:37 pm on Feb 21, 2012 (gmt 0)

Maybe you're looking at the wrong place. The $result object seems to reference db commands not the file you're looking at. What is the $conn object type? Is it mysql see that class there could be another instance of the function you're trying to find.

rocknbil




msg:4420027
 4:36 pm on Feb 21, 2012 (gmt 0)

Even if you managed to do that, you'd still have it outputting data from getMessage (which is where the mysql error comes from, and the one you'd want to hide.) The problem is that it's incorporated in the die(). Die() will output whatever parameters you set it to. Just die() will output nothing.

The straightforward solution is to figure out why the database is erroring and fix that. It shouldn't be.

The other is to change all instances like so

if(PEAR::isError($result))
{
email_me('<b>Error:</b>&nbsp;'.$result->getMessage().'
<br/><b>Debug Info</b>:&nbsp;'.$result->getDebugInfo());

die('<p><strong>Oops! It seems we have a database problem, we've been notified and are looking at it.</strong></p>');

}

... where "email_me" is a function you write to accept a single parameter as the message. Hundreds of pages might be worth it, it shouldn't be outputting this publicly. Given the opportunity, I'd put it in an include so next time or if you want to modify it in any way, you only do it once:

if(PEAR::isError($result)){

include ($_SERVER['DOCUMENT_ROOT']."/includes/db-error-handler.php');

}

If you DO find the instance where it's happening (I suspect it may be out of your reach on the server? Don't know) you'd want to do

function getMessage() {
// whatever compiles the message
email_me($message);
return 'your public message here';
}

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved