I use Zend_Db_Table to manage my MySQL connections. They works great, but there's just one HUGE security problem.
我使用Zend_Db_Table来管理我的MySQL连接。它们运行良好,但只有一个巨大的安全问题。
If there's an error, like MySQL is down, ZF throws an exception with the db connection username and password.
如果出现错误,例如MySQL已关闭,ZF会使用db连接用户名和密码抛出异常。
Here for example, I've set a wrong db password in my configuration. This is the exception thrown.
例如,我在配置中设置了错误的db密码。这是抛出的异常。
exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: YES)' in /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Abstract.php:129
Stack trace:
#0 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:dbname=ci...', 'root', 'rootads', Array)
#1 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect()
#2 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Abstract.php(459): Zend_Db_Adapter_Pdo_Mysql->_connect()
...
And here it is the username and password in clear. How can I modify the Zend_Db_Table class so it don't show sensible informations into its exceptions?
这里是明确的用户名和密码。如何修改Zend_Db_Table类,以便它不会在其异常中显示合理的信息?
Thanks
1 个解决方案
#1
3
Instead of changing display error options or production environment setting, you could define your ErrorController.
您可以定义ErrorController,而不是更改显示错误选项或生产环境设置。
Having an ErrorController is almost mandatory for a project in a production system. It catches any exceptions thrown by your application due to a application logic flaw or it catches any URL that does not have any associated controllers/actions or does not match any pattern defined in your routers.
对于生产系统中的项目,几乎必须使用ErrorController。它捕获由于应用程序逻辑缺陷而导致应用程序抛出的任何异常,或者捕获任何没有任何关联控制器/操作或与路由器中定义的任何模式不匹配的URL。
More details on setting up ErrorController for your Zend project - http://www.thedeveloperday.com/custom-profiler-for-live-environments/
有关为Zend项目设置ErrorController的更多详细信息 - http://www.thedeveloperday.com/custom-profiler-for-live-environments/
#1
3
Instead of changing display error options or production environment setting, you could define your ErrorController.
您可以定义ErrorController,而不是更改显示错误选项或生产环境设置。
Having an ErrorController is almost mandatory for a project in a production system. It catches any exceptions thrown by your application due to a application logic flaw or it catches any URL that does not have any associated controllers/actions or does not match any pattern defined in your routers.
对于生产系统中的项目,几乎必须使用ErrorController。它捕获由于应用程序逻辑缺陷而导致应用程序抛出的任何异常,或者捕获任何没有任何关联控制器/操作或与路由器中定义的任何模式不匹配的URL。
More details on setting up ErrorController for your Zend project - http://www.thedeveloperday.com/custom-profiler-for-live-environments/
有关为Zend项目设置ErrorController的更多详细信息 - http://www.thedeveloperday.com/custom-profiler-for-live-environments/