I am using Zend_Db_Adapter, specifically Zend_Db_Adapter_Pdo_Abstract. I would imagine that this issue extends to other adapters as well. When a PDOException is thrown, it is 'uncaught', and in many instances, the stack trace reveals the username and password.

我正在使用Zend_Db_Adapter,特别是Zend_Db_Adapter_Pdo_Abstract。我想这个问题也会扩展到其他适配器。当抛出PDOException时,它是“未捕获”的,在许多情况下,堆栈跟踪显示用户名和密码。

I have verified that the following PDO exceptions all show the credentials in the stack trace:

我已经验证了以下PDO异常都显示了堆栈跟踪中的凭证:

  • SQLSTATE[HY000] [2005] Unknown MySQL server host ...snip...
  • SQLSTATE[HY000][2005]未知的MySQL服务器主机…
  • SQLSTATE[HY000] [2013] Lost connection to MySQL server at 'reading authorization packet'
  • SQLSTATE[HY000][2013]在读取授权包时与MySQL服务器失去连接
  • SQLSTATE[08004] [1040] Too many connections
  • SQLSTATE[08004][1040]连接太多
  • SQLSTATE[28000] [1045] Access denied for user ...snip... (using password: YES)
  • SQLSTATE[28000][1045]用户访问被拒绝…(使用密码:是的)

My production sites don't show stack traces when there are errors, and I still want to see stack traces for these errors on my development environments, I just don't want the usernames and passwords to be displayed in the clear.

我的生产站点在出现错误时不会显示堆栈跟踪,我仍然希望在开发环境中看到这些错误的堆栈跟踪,我只是不想让用户名和密码在clear中显示。

2 个解决方案

#1

3

I would solve this by not solving it... Let me explain:

我可以通过不解决它来解决这个问题……让我来解释一下:

There's currently no way to disable stack traces from uncaught exceptions. PHP doesn't let you do that.

目前没有办法禁用未捕获异常的堆栈跟踪。PHP不允许这样做。

So, rather than try to disable it, I'd simply not let an exception go uncaught... I'd install an exception handler which would then log the back-trace information. I wouldn't display it on the screen. I wouldn't check which environment it's in. I wouldn't check request information. I would just log it to a file, and display a generic 500 server error page.

所以,与其尝试禁用它,我不会让一个异常被捕获…我将安装一个异常处理程序,然后将其记录回跟踪信息。我不会在屏幕上显示它。我不会检查它所处的环境。我不会检查请求信息。我将它记录到一个文件中,并显示一个通用的500服务器错误页面。

Now, in your handler, you can selectively show call information, so you can choose whether or not to log argument info:

现在,在处理程序中,您可以有选择地显示调用信息,因此您可以选择是否记录参数信息:

set_exception_handler(function($exception) {
    $log = array(
        'message' => $exception->getMessage(),
        'trace' => array(),
    );
    foreach ($exception->getTrace() as $item) {
        $trace = isset($item['class']) ? $item['class'] . $item['type'] : '';
        $trace .= $item['function'] . '()';
        $log['trace'][] = $trace;
    }
    save_to_log($log);
});

But I take an uncaught exception as a sign of a bug in your application. You should find them and fix them. If you get them enough that you're worried about presenting the arguments in the page, then you really need to fix the fact that there are uncaught exceptions in the first place...

但是我认为一个未被捕获的异常是您的应用程序中错误的标志。你应该找到并修复它们。如果你足够让他们担心你在页面上提出的论点,那么你真的需要修正一个事实,那就是在一开始就有未被发现的异常……

Edit Here's a demonstration of what happens:

这里有一个演示:

class Foo {
    public function doSomething($user, $password) {
        throw new Exception('Something Went Wrong!');
    }
}

$f = new Foo();

$f->doSomething('user', 'passw');

on CodePad results in:

CodePad导致:

<br />
<b>Fatal error</b>:  Uncaught exception 'Exception' with message 'Something Went Wrong!' in /code/MxH9Ls:4
Stack trace:
#0 /code/MxH9Ls(10): Foo-&gt;doSomething('user', 'passw')
#1 {main}
  thrown in <b>/code/MxH9Ls</b> on line <b>4</b><br />

But, with the exception handler (modified to print instead of log):

但是,异常处理程序(修改为打印而不是日志):

set_exception_handler(function($exception) {
    $log = array(
        'message' => $exception->getMessage(),
        'trace' => array(),
    );
    foreach ($exception->getTrace() as $item) {
        $trace = isset($item['class']) ? $item['class'] . $item['type'] : '';
        $trace .= $item['function'] . '()';
        $log['trace'][] = $trace;
    }
    echo $log['message'] . "\n";
    foreach ($log['trace'] as $trace) {
        echo " - $trace\n";
    }
});

class Foo {
    public function doSomething($user, $password) {
        throw new Exception('Something Went Wrong!');
    }
}

$f = new Foo();

$f->doSomething('user', 'passw');

On CodePad produces:

CodePad产生:

Something Went Wrong!
 - Foo->doSomething()

更多相关文章

  1. (phpQuery)对网站产品信息采集代码的优化
  2. 【Java Web】简易商品信息管理系统——首个Web项目
  3. MySql 修改列的注释信息的方法
  4. 可以在$ _SESSION中保存大量信息吗?
  5. Mysql_案例1:查询出每个部门工资最高的员工信息
  6. MVC框架——学生信息管理系统(多表,多事务如何处理,一个用户如何共
  7. 求问vs窗体应用程序用gridview连接mysql未能获取数据库对象的列
  8. RangeError:在Node.js中调试/记录/检查对象时超过了最大调用堆栈
  9. 如何在bing地图中添加信息框到一个航点

随机推荐

  1. Android(安卓)开发中C++链接C库
  2. Android Studio共用Eclipse的Android项目
  3. HNU_团队项目_Android和数据库对接出现问
  4. Android API中常用的包
  5. 使用Android(安卓)sdk/build-tools/dx工
  6. Android 渗透测试学习手册(七)不太知名的 A
  7. Android必备知识(五)多线程及AsyncTask
  8. [JAVA] Android用到的一些文件操作
  9. cocos2d-x学习笔记06:如何将win32移植到an
  10. android 利用shape实现环形进度条