Why does PDO print my password when the connection fails?
Posted
by
Joe Hopfgartner
on Stack Overflow
See other posts from Stack Overflow
or by Joe Hopfgartner
Published on 2011-06-23T13:43:38Z
Indexed on
2011/06/23
16:22 UTC
Read the original article
Hit count: 192
I have a simple website where I establish a connection to a Mysql server using PDO.
$dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306', 'USER',
'SECRET',array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
I had some traffic on my site and the servers connection limit was reached, and the website throw this error, with my PLAIN password in it!
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08004] [1040] Too many connections' in /home/premiumize-me/html/index.php:64 Stack trace: #0 /home/premiumize-me/html/index.php(64): PDO->__construct('mysql:host=loca...', 'USER', 'SECRET', Array) #1 {main} thrown in /home/premiumize-me/html/index.php on line 64
Ironically I switched to PDO for security reasons, this really shocked me.
Because this exact error is something you can provoke very easily on most sites using simple http flooding.
I now wrapped my conenction into a try/catch clause, but still. I think this is catastrophic!
So I am new to PDO and my questino is: What do I have to consider to be safe! How to I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?
© Stack Overflow or respective owner