I've inherited a site that uses PEAR to handle all DB calls.
This is an example of how it handles a query:
$result = $conn->query($sql);
<br/><b>Debug Info</b>: '.$result->getDebugInfo());
$row = $result->fetchRow(DB_FETCHMODE_ASSOC);
This is exactly how it is on hundreds of pages of this site. The problem with this is that whenever there is any kind of DB error (e.g. a SQL syntax error), it is displaying the ENTIRE error and related query directly to the user because of the $result->getDebugInfo()
, which is a big NO-NO for obvious security reasons.
Instead of displaying the error to my users, I want the site to simply e-mail me whenever there is a DB error, and to e-mail me the contents of $result->getDebugInfo()
rather than displaying it to my users so I can be alerted to the problem and debug it while avoiding the security risk altogether.
Now, I thought this would be as simple as searching for the getDebugInfo()
function in the PEAR library and changing it to do the above, but that did not work at all which is very puzzling. I found the function in only one location, which was the main PEAR.php
class file and it looks like this:
No matter what changes I make to this function, they are NOT reflected when $result->getDebugInfo()
is called in the script, which is incredibly puzzling and is making me pull my hair out. I've even tried commenting out the ENTIRE function and it STILL displays the error code to my users as if it were HAL and in complete control to do as it wishes while I'm his little minion. Talk about puzzling (I'm bald now)!
So how in the world do I get my site to stop revealing the PEAR error and SQL code to my users and to e-mail it to me instead?