Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Jul 2007
    Posts
    571
    Thanks
    25
    Thanked 28 Times in 28 Posts

    Error Display - Security risk?

    I'm changing databases and stuff in one of my pages so i have errors like such that the public can see

    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/rise/public_html/v2/find.php on line 146
    are these security risks or is it ok if i have these for a day or 2?

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,027
    Thanks
    2
    Thanked 315 Times in 307 Posts
    The danger of that specific message, is that it exposes file system path information that could be exploited through say a file upload function or some other script that allows code injection or saving content (php script) in an arbitrary folder/file.

    However, of more danger, that message indicates that your code is lacking in error checking, user error reporting, and error recovery logic (the specific message means that your query failed, but your code blindly continued execution and attempted to use the results of a failed query.) Knowing this, once you get your database working, someone could submit bogus information that could trigger errors that could expose things like your database, table, and column names and also display a portion of your query statement in an error message. It could also indicate that your queries are open to sql injection, which would allow someone to bypass password checking on login functions or other similar abuses.

    Until you add error checking (test if the function even worked), visitor error reporting (tell the visitor that the requested action can not be completed), and error recovery (what do you do when a function call fails - stop program execution) logic to your code, I recommend turning off error reporting/display errors. With your existing code, any time the mysql server is down (happens more often than you think, after all we don't live in a perfect world) you will get messages like you posted.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Regular Coder
    Join Date
    Jul 2007
    Posts
    571
    Thanks
    25
    Thanked 28 Times in 28 Posts
    Are you sure it is a risk for SQL injection and stuff, because i made it so that only letters and numbers can be submitted.

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,027
    Thanks
    2
    Thanked 315 Times in 307 Posts
    Are you from this planet?

    You posted one error message. I gave a list of possible issues, one being that - "It could also indicate..."

    How in the bleep could you even ask if I was sure if it is a risk for SQL injection, without you posting any information concerning what your code is or is not doing.

    Everything I posted was conjecture based on an error being triggered that indicates that your code is not adequately checking for possible errors and is not ready to be released on a public web site that visitors are expected to be able to use.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    Regular Coder
    Join Date
    Jul 2007
    Posts
    571
    Thanks
    25
    Thanked 28 Times in 28 Posts
    Ok thanks! Sorry about these not so bright questions. I'll start reading up on security as it seems I lack lost of knowledge concerning these issues

    cheers,
    neil


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •