Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2023-02-26 14:36:43
- lindabb
- Member
- Registered: 2023-02-17
- Posts: 132
Error reporting and $production_status
Hello,
As I’m testing this nice CMS, going through all kind scenarios , one the scenario is to stop mysql and see what error I get!
stopped mysql, and I got full descriptive error that include even db name, user name and password as shown below:
Fatal error: Uncaught mysqli_sql_exception:
No connection could be made because the target machine actively refused it in
C:\www\textpattern\textpattern\lib\txplib_db.php:247 Stack trace: #0
C:\www\textpattern\textpattern\lib\txplib_db.php(247): mysqli_real_connect(Object(mysqli), ‘localhost’, ‘user_name’, ‘pssword’, ‘db_name’, ‘3306’, ‘’, 2) #1
C:\www\textpattern\textpattern\lib\txplib_db.php(288): DB->__construct() #2
C:\www\textpattern\textpattern\publish.php(44): include_once(‘C:\\www\\textpa…’) #3
C:\www\textpattern\index.php(72): include(‘C:\\www\\textpa…’) #4 {main} thrown in
C:\www\textpattern\textpattern\lib\txplib_db.php on line 247
Note: I replaced user name , password and db name to avoid confusing.
1- So, after looked around , I found many $production_status looking for live or debug
and I assume looking for db admin settings, because there is no such thing in config file, if the db connection not available from where $production_status reading it?
2-if I set ini_set("display_errors", "0"); // disabled it in .\textpattern\index.php
no error at all, just blank page!
3-Same issue when disabled in
ini_set(“display_errors”, “0”); in .\textpattern\textpattern\index.php just blank page.
If I’m not missing anything, then is is a big security hole, if user just installs the default settings,
Unless I’m missing some configuration as I’m new user of textpattern.
I host my site with cheap US based company (HG hosting) , every other week I get email telling me connection timed out (In my connect I send email to myself with error message, while I show nice complete html (to avoid SEO issue) page without letting the user knows there is error.
Thank you for any suggestion
Last edited by lindabb (2023-02-26 14:39:27)
Offline
Re: Error reporting and $production_status
In theory, if your production status is set to Live you should not see any error messages under any circumstances. If that is not working in some cases, we definitely need to see if we can close those to prevent credentials leaking.
It should only report more serious warnings in Testing mode, and then full debug stack trace info in Debug mode.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#3 2023-02-26 19:29:59
- lindabb
- Member
- Registered: 2023-02-17
- Posts: 132
Re: Error reporting and $production_status
Thank you Bloke,
My production status is Live on admin page (site menu) ,
and my php.ini error reporting off (display_errors = Off),
is there any other place to charge the production status other than admin page ?
Thank you again
Offline
#4 2023-02-26 19:58:09
- lindabb
- Member
- Registered: 2023-02-17
- Posts: 132
Re: Error reporting and $production_status
I checked \textpattern\lib\txplib_db.php line 247 looks die(db_down()); not triggering
for my testing , I added try catch and worked
try {
if (!mysqli_real_connect($this->link, $this->host, $this->user, $this->pass, $this->db, $this->port, $this->socket, $this->client_flags))
{
die(db_down());
}
}catch (Exception $e){
//$error = $e->getMessage();
echo 'something wrong'; //$error;
die();
}
maybe only with php 8.x ! not sure.
will be nice to just stop mysql and test it LOL in your testing computer.
Thank you
Offline
Re: Error reporting and $production_status
I think echoing $e->getMessage();
is probably not a good idea in this instance as it could leak connection details. What we should probably do is catch the error and output our own message.
Thank you, I’ll run some tests and see what we can do about this.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Error reporting and $production_status
My local xampp outputs Object(SensitiveParameterValue)
instead of password
, so I think it’s partly a php responsibility too. But yes, we should patch it, thank you for the report.
Online
Re: Error reporting and $production_status
Hmm, I can’t make my local MAMP fall over that way by merely stopping mysqld. I just get Database unavailable. If you’re able to get yours to break, by all means patch it, Oleg, thank you.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Online
#9 2023-02-27 13:08:59
- lindabb
- Member
- Registered: 2023-02-17
- Posts: 132
Re: Error reporting and $production_status
Thank you all for checking it out, this is nice to see developers care about the issue.
maybe instead showing “Database unavailable” allow the user to customize the error;
like this
try { if (!mysqli_real_connect($this->link, $this->host, $this->user, $this->pass, $this->db, $this->port, $this->socket, $this->client_flags)) { die(db_down()); } }catch (Exception $e){ die(db_down($e->getMessage())); }
and on db_down
function db_down($errormsg)
{
//user can pass the error if needed
// you can check the file if exist include it , if not just output the html text as you have now.
include ‘files/error.php’;
}
Thank you
Offline
Re: Error reporting and $production_status
lindabb wrote #334799:
Thank you all for checking it out, this is nice to see developers care about the issue.
maybe instead showing “Database unavailable” allow the user to customize the error;
like this
Needs thinking, since $e->getMessage()
contains sensitive information. We could, for example, introduce a callback to db_down()
function that leaves the hand to disk-based plugins if necessary. Thanks for the suggestion.
Online
#11 2023-02-27 13:52:21
- lindabb
- Member
- Registered: 2023-02-17
- Posts: 132
Re: Error reporting and $production_status
Thank you, sure, I agree,
can usr something like this
try
{
// connect
}
catch ($e->getMessage()) )
{
switch (ex.Number)
{
case 0:
msg= “Cannot connect to server. Contact administrator”;
break;
case 1045:
msg= “Invalid username/password, please try again”;
break;
}
}
Last edited by lindabb (2023-02-27 13:53:35)
Offline
Re: Error reporting and $production_status
Well, plugins would not do, since they are loaded after db connection attempt. And pre_publish_script
is run before db is connected. Do we need a new error_script
? And then should it be called on each (fatal) error?
Online