Clay vanSchalkwijk
Wed Oct 05 13:14:28 -0400 2011
You need to catch that exception when you're setting up your connection.
Alexey Skripnik
Wed Oct 05 13:33:37 -0400 2011
try {
$cfg->set_model_directory(…);
$cfg->set_connections(…);
} catch (Exception $e) {
echo 'Error!!!';
}
Clay, something like that?
Alexey Skripnik
Wed Oct 05 13:41:57 -0400 2011
OMG! I'm not alone. Look, it's heaven for hackers: http://www.google.com/search?q=activerecord+%22PDO-%3E__construct('mysql%3Ahost%3D%22
Dear developers of PHP-AR, please, defense your users from this security issue.
Max Schwanekamp
Wed Oct 05 17:29:15 -0400 2011
Dude! Catch the exception and the problem is solved. The fact that all those others fail to do so is not the devs' fault.
(1-4/4)
Subject: PHP-AR show my MySQL login and password in errors!
Hi, guys. Something happened with my MySQL server and i saw error contains my login and password:
Uncaught exception 'ActiveRecord\DatabaseException' with message 'exception 'PDOException' with message 'SQLSTATE[HY000] [1129] Host '***' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'' in /home/***/activerecord/lib/Connection.php:239 Stack trace: #0
/home/***/activerecord/lib/Connection.php(239): PDO->__construct('mysql:host=brie...', 'MY_LOGIN', 'MY_PASSWORD', Array) #1
It's good that it happened in closed beta project, but when i'll open my website and if my MySQL server will fall again, users can show my login and password. Can somebody explain me, how to fix this security hole?
P. S. Sorry for my English.