Mongo / PHP - 连接失败打印明文密码

已采纳

If my mongo database is down, my php application is printing out the plaintext password in the error. How can I prevent this?

Fatal error: Uncaught exception 'MongoCursorException' with message 
'couldn't send command' in /ap/db.php:23     Stack trace: 
#0 /ap/db.php(23): MongoDB->authenticate('username', 'actual_password') 
#1 /ap/index.php(6): Worker->__construct() #2 {main} thrown in /ap/db.php 
on line 23

I understand that I can disable php errors, but that is not what I want to do. I want to see an error, but I don't want it to print the password.

点赞
写回答
关注问题
收藏
复制链接分享
邀请回答

1条回答

采纳
码龄粉丝数

被点赞

被采纳

采纳率

私信
dousong9729 9年前
In a production application, users should never see an error like "Uncaught exception" or other developer-oriented message. This exposes a lot of information to a potential attacker and confuses your legitimate users. Log the detailed technical message and display a friendly error page to the user.

To disable visible errors and log them instead, edit php.ini:
- Set error_log to a valid log path
- Set display_errors to Off.
The process to enable friendly errors depends on your web server, but the idea is the same: Set a custom page to be displayed when a 500 error is encountered. In Apache, for example, you set ErrorDocument 500 /path/to/custom/500.html.

EDIT :

OP indicates that this is a development box — either way you should wrap your connection attempt in a try/catch block (which is something you should be doing anyway), and then you can display a 'sanitized' error message:
```
try {
  MongoDB->authenticate('username','password');
} catch (MongoCursorException $e) {
  die("Unable to authenticate to database [code: " . $e->getCode() . "]: "
    . $e->getMessage());
}
```
点赞评论复制链接分享

提交

为你推荐

Mongo / PHP - 连接失败打印明文密码
- mongodb
- php
- 1个回答