View Full Version : Error Display - Security risk?

10-31-2007, 11:07 PM
I'm changing databases and stuff in one of my pages so i have errors like such that the public can see

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/rise/public_html/v2/find.php on line 146

are these security risks or is it ok if i have these for a day or 2?

10-31-2007, 11:33 PM
The danger of that specific message, is that it exposes file system path information that could be exploited through say a file upload function or some other script that allows code injection or saving content (php script) in an arbitrary folder/file.

However, of more danger, that message indicates that your code is lacking in error checking, user error reporting, and error recovery logic (the specific message means that your query failed, but your code blindly continued execution and attempted to use the results of a failed query.) Knowing this, once you get your database working, someone could submit bogus information that could trigger errors that could expose things like your database, table, and column names and also display a portion of your query statement in an error message. It could also indicate that your queries are open to sql injection, which would allow someone to bypass password checking on login functions or other similar abuses.

Until you add error checking (test if the function even worked), visitor error reporting (tell the visitor that the requested action can not be completed), and error recovery (what do you do when a function call fails - stop program execution) logic to your code, I recommend turning off error reporting/display errors. With your existing code, any time the mysql server is down (happens more often than you think, after all we don't live in a perfect world) you will get messages like you posted.

11-01-2007, 05:29 PM
Are you sure it is a risk for SQL injection and stuff, because i made it so that only letters and numbers can be submitted.

11-01-2007, 05:40 PM
Are you from this planet? :eek:

You posted one error message. I gave a list of possible issues, one being that - "It could also indicate..."

How in the bleep could you even ask if I was sure if it is a risk for SQL injection, without you posting any information concerning what your code is or is not doing.

Everything I posted was conjecture based on an error being triggered that indicates that your code is not adequately checking for possible errors and is not ready to be released on a public web site that visitors are expected to be able to use.

11-01-2007, 05:45 PM
Ok thanks! Sorry about these not so bright questions. I'll start reading up on security as it seems I lack lost of knowledge concerning these issues