使用PEAR处理数据库。 向用户显示数据库错误。 如何停止?
[英]Using PEAR to handle DB. DB Errors being displayed to users. How to stop?
问题描述
I've inherited a site that uses PEAR to handle all DB calls. 
我继承了一个使用PEAR处理所有数据库调用的站点。
This is an example of how it handles a query: 这是如何处理查询的示例:
$result = $conn->query($sql);
if(PEAR::isError($result))
{
die('<b>Error:</b> '.$result->getMessage().'
<br/><b>Debug Info</b>: '.$result->getDebugInfo());
}
$row = $result->fetchRow(DB_FETCHMODE_ASSOC);
This is exactly how it is on hundreds of pages of this site. 这就是本网站数百页上的内容。 The problem with this is that whenever there is any kind of DB error (eg a SQL syntax error), it is displaying the ENTIRE error and related query directly to the user because of the $result->getDebugInfo() , which is a big NO-NO for obvious security reasons. 这样做的问题是,由于$result->getDebugInfo() ,每当发生任何类型的数据库错误(例如SQL语法错误)时,它都会直接向用户显示整个错误和相关查询。出于明显的安全原因,不可以。
Instead of displaying the error to my users, I want the site to simply e-mail me whenever there is a DB error, and to e-mail me the contents of $result->getDebugInfo() rather than displaying it to my users so I can be alerted to the problem and debug it while avoiding the security risk altogether. 我希望网站不向用户显示错误,而是在出现数据库错误时仅向我发送电子邮件,并向我发送$result->getDebugInfo()的内容,而不是向我的用户显示。我可以被警告该问题并对其进行调试,同时完全避免安全风险。
Now, I thought this would be as simple as searching for the getDebugInfo() function in the PEAR library and changing it to do the above, but that did not work at all which is very puzzling. 现在,我认为这就像在PEAR库中搜索getDebugInfo()函数并将其更改为上述操作那样简单,但是那根本不起作用,这非常令人困惑。 I found the function in only one location, which was the main PEAR.php class file and it looks like this: 我仅在一个位置找到了该函数,这是主PEAR.php类文件,它看起来像这样:
function getDebugInfo()
{
return $this->getUserInfo();
}
No matter what changes I make to this function, they are NOT reflected when $result->getDebugInfo() is called in the script, which is incredibly puzzling and is making me pull my hair out. 不管我对此函数进行什么更改,在脚本中调用$result->getDebugInfo()时,这些更改都不会反映出来,这令人费解,这使我难以置信。 I've even tried commenting out the ENTIRE function and it STILL displays the error code to my users as if it were HAL and in complete control to do as it wishes while I'm his little minion. 我什至尝试注释掉ENTIRE函数,它仍然向我的用户显示错误代码,好像它是HAL,并且在我是他的小仆时完全可以按照自己的意愿进行操作。 Talk about puzzling (I'm bald now)! 谈论困惑(我现在秃顶)!
So how in the world do I get my site to stop revealing the PEAR error and SQL code to my users and to e-mail it to me instead? 因此,如何使我的网站停止向用户显示PEAR错误和SQL代码,而是通过电子邮件将其发送给我?
1 个解决方案
解决方案1
-1 已采纳 2012-02-20 12:08:22
Search 搜索
die('<b>Error:</b> '.$result->getMessage().'
<br/><b>Debug Info</b>: '.$result->getDebugInfo());
and replace with 并替换为
handleQueryError($result);
or something similar in your entire project. 或整个项目中的类似内容。 You don't want to display debug information to the user, so don't have statements in your code that do this. 您不想向用户显示调试信息,因此您的代码中没有执行此操作的语句。 think about the next guy that will inherit this code. 考虑下一个将继承此代码的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.