問題描述

我有一個簡單的網站，我在其中使用 PDO 建立到 MySQL 服務器的連接.

I have a simple website where I establish a connection to a MySQL server using PDO.

$dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306',
               'USER',
               'SECRET', 
               array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));

我的網站上有一些流量并且達到了服務器的連接限制，網站拋出了這個錯誤，其中包含我的普通密碼！

I had some traffic on my site and the server's connection limit was reached, and the website throws this error, with my plain password in it!

致命錯誤:未捕獲的異常帶有消息的PDOException"'SQLSTATE[08004] [1040] 太多連接'在/home/domain/html/index.php:xxx堆棧跟蹤:#0/home/domain/html/index.php(64):PDO->__construct('mysql:host=loca...','用戶'、'秘密'、數組)#1{main} 投入/home/domain/html/index.php 上第 64 行

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08004] [1040] Too many connections' in /home/domain/html/index.php:xxx Stack trace: #0 /home/domain/html/index.php(64): PDO->__construct('mysql:host=loca...', 'USER', 'SECRET', Array) #1 {main} thrown in /home/domain/html/index.php on line 64

具有諷刺意味的是，我出于安全原因切換到 PDO，所以這真的讓我感到震驚，因為在大多數使用簡單 HTTP 泛洪的網站上，您可以很容易地引發這個確切的錯誤.

Ironically I switched to PDO for security reasons, so this really shocked me, because this exact error is something you can provoke very easily on most sites using simple HTTP flooding.

我現在已經將我的連接包裹在一個 try/catch 塊中，但我仍然認為這是災難性的！

I have now wrapped my connection in a try/catch block, but still I think this is catastrophic!

我是 PDO 的新手，所以我的問題是:我必須做什么才能確保安全?如何以安全的方式建立連接?是否還有其他已知的安全漏洞需要我注意?

I am new to PDO and so my question is: what do I have to do to consider to be safe? How do I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?

推薦答案

無論如何，您都應該在 PHP.ini 中設置 display_errors = off 以避免此問題.除了 PDO 之外，顯示此類詳細信息的錯誤還來自許多地方.

You should have display_errors = off in your PHP.ini anyway to avoid this problem. Errors that reveal details like these come from many places, in addition to PDO.

是的，您也應該將它放在 try/catch 塊中.

Yes, you should also have it in a try/catch block.

您也可以$pdo->setAttribute(PDO::ERRMODE_SILENT)，但是您需要手動檢查錯誤代碼而不是使用 try/catch 塊.請參閱http://php.net/manual/en/pdo.setattribute.php 獲取更多錯誤常量.

You can also $pdo->setAttribute(PDO::ERRMODE_SILENT), but then you need to be checking the error codes manually rather than using a try/catch block. See http://php.net/manual/en/pdo.setattribute.php for more error constants.

這篇關于為什么在連接失敗時 PDO 會打印我的密碼?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！