问题描述
我有一个简单的网站,可以在其中使用PDO建立与MySQL服务器的连接.
I have a simple website where I establish a connection to a MySQL server using PDO.
$dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306',
'USER',
'SECRET',
array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
我的网站上有一些流量,并且达到了服务器的连接限制,网站抛出了这个错误,其中输入了我的 plain 密码!
I had some traffic on my site and the server's connection limit was reached, and the website throws this error, with my plain password in it!
具有讽刺意味的是,出于安全原因,我切换到PDO,这确实让我感到震惊,因为在大多数站点上,使用简单的HTTP泛洪都可以很容易地激起这种确切的错误.
Ironically I switched to PDO for security reasons, so this really shocked me, because this exact error is something you can provoke very easily on most sites using simple HTTP flooding.
我现在已经将我的连接包装在try/catch块中,但是我仍然认为这是灾难性的!
I have now wrapped my connection in a try/catch block, but still I think this is catastrophic!
我是PDO的新手,所以我的问题是:为了安全起见,我该怎么做?如何以安全方式建立连接?还有其他我必须注意的已知安全漏洞吗?
I am new to PDO and so my question is: what do I have to do to consider to be safe? How do I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?
推荐答案
无论如何,您都应该在PHP.ini中包含display_errors = off
,以避免出现此问题.除了PDO之外,揭示此类细节的错误还来自许多地方.
You should have display_errors = off
in your PHP.ini anyway to avoid this problem. Errors that reveal details like these come from many places, in addition to PDO.
是的,您还应该将其放在try/catch块中.
Yes, you should also have it in a try/catch block.
您也可以$pdo->setAttribute(PDO::ERRMODE_SILENT)
,但是您需要手动检查错误代码,而不是使用try/catch块.参见 http://php.net/manual/en/pdo.setattribute.php获取更多错误常量.
You can also $pdo->setAttribute(PDO::ERRMODE_SILENT)
, but then you need to be checking the error codes manually rather than using a try/catch block. See http://php.net/manual/en/pdo.setattribute.php for more error constants.
这篇关于连接失败时,为什么PDO会打印我的密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!