Welcome to WebmasterWorld Guest from 54.162.240.235

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PEAR error issues, please help

     
12:13 am on Feb 21, 2012 (gmt 0)

5+ Year Member



I've inherited a site that uses PEAR to handle all DB calls.

This is an example of how it handles a query:

$result = $conn->query($sql);
if(PEAR::isError($result))
{
die('<b>Error:</b>&nbsp;'.$result->getMessage().'
<br/><b>Debug Info</b>:&nbsp;'.$result->getDebugInfo());
}
$row = $result->fetchRow(DB_FETCHMODE_ASSOC);


This is exactly how it is on hundreds of pages of this site. The problem with this is that whenever there is any kind of DB error (e.g. a SQL syntax error), it is displaying the ENTIRE error and related query directly to the user because of the $result->getDebugInfo(), which is a big NO-NO for obvious security reasons.

Instead of displaying the error to my users, I want the site to simply e-mail me whenever there is a DB error, and to e-mail me the contents of $result->getDebugInfo() rather than displaying it to my users so I can be alerted to the problem and debug it while avoiding the security risk altogether.

Now, I thought this would be as simple as searching for the getDebugInfo() function in the PEAR library and changing it to do the above, but that did not work at all which is very puzzling. I found the function in only one location, which was the main PEAR.php class file and it looks like this:

function getDebugInfo()
{
return $this->getUserInfo();
}


No matter what changes I make to this function, they are NOT reflected when $result->getDebugInfo() is called in the script, which is incredibly puzzling and is making me pull my hair out. I've even tried commenting out the ENTIRE function and it STILL displays the error code to my users as if it were HAL and in complete control to do as it wishes while I'm his little minion. Talk about puzzling (I'm bald now)!

So how in the world do I get my site to stop revealing the PEAR error and SQL code to my users and to e-mail it to me instead?
12:37 pm on Feb 21, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Maybe you're looking at the wrong place. The $result object seems to reference db commands not the file you're looking at. What is the $conn object type? Is it mysql see that class there could be another instance of the function you're trying to find.
4:36 pm on Feb 21, 2012 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Even if you managed to do that, you'd still have it outputting data from getMessage (which is where the mysql error comes from, and the one you'd want to hide.) The problem is that it's incorporated in the die(). Die() will output whatever parameters you set it to. Just die() will output nothing.

The straightforward solution is to figure out why the database is erroring and fix that. It shouldn't be.

The other is to change all instances like so

if(PEAR::isError($result))
{
email_me('<b>Error:</b>&nbsp;'.$result->getMessage().'
<br/><b>Debug Info</b>:&nbsp;'.$result->getDebugInfo());

die('<p><strong>Oops! It seems we have a database problem, we've been notified and are looking at it.</strong></p>');

}

... where "email_me" is a function you write to accept a single parameter as the message. Hundreds of pages might be worth it, it shouldn't be outputting this publicly. Given the opportunity, I'd put it in an include so next time or if you want to modify it in any way, you only do it once:

if(PEAR::isError($result)){

include ($_SERVER['DOCUMENT_ROOT']."/includes/db-error-handler.php');

}

If you DO find the instance where it's happening (I suspect it may be out of your reach on the server? Don't know) you'd want to do

function getMessage() {
// whatever compiles the message
email_me($message);
return 'your public message here';
}
 

Featured Threads

Hot Threads This Week

Hot Threads This Month