Why does PDO print my password when the connection fails?

Posted by Joe Hopfgartner on Stack Overflow See other posts from Stack Overflow or by Joe Hopfgartner
Published on 2011-06-23T13:43:38Z Indexed on 2011/06/23 16:22 UTC
Read the original article Hit count: 192

Filed under:
|
|
|
|

I have a simple website where I establish a connection to a Mysql server using PDO.

$dbh  =  new PDO('mysql:host=localhost;dbname=DB;port=3306', 'USER', 
'SECRET',array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));

I had some traffic on my site and the servers connection limit was reached, and the website throw this error, with my PLAIN password in it!

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08004] [1040] Too many connections' in /home/premiumize-me/html/index.php:64 Stack trace: #0 /home/premiumize-me/html/index.php(64): PDO->__construct('mysql:host=loca...', 'USER', 'SECRET', Array) #1 {main} thrown in /home/premiumize-me/html/index.php on line 64

Ironically I switched to PDO for security reasons, this really shocked me.

Because this exact error is something you can provoke very easily on most sites using simple http flooding.

I now wrapped my conenction into a try/catch clause, but still. I think this is catastrophic!

So I am new to PDO and my questino is: What do I have to consider to be safe! How to I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql