Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Prevent Disclosure of SQL Errors

  
  

Applies to

PHP

What to Do

Do not show SQL error messages.

Why

SQL error messages should not be displayed to prevent disclosing information about the database to potential attackers.

How

To prevent displaying SQL error messages:

  1. Identify the database extraction layer(s) used by the application.Review the application to identify what database engine(s) and abstraction layer(s) are used.
  2. Identify whether SQL error messages are displayed. Search application code for calls to functions that may disclose SQL errors. Examine such code to see if it may result in SQL error messages being displayed. A list of common database engines and database abstraction layers and the corresponding functions that may disclose errors is below:
    • DBA: uses php's built in error handler.
    • PDO: throws aPDOException
    • odbc:odbc_error() andodbc_errormsg()
    • Postgres:pg_last_error(), pg_result_error_field(), pg_result_error()
    • SQLite3:SQLite3::lastErrorCode, SQLite3::lastErrorMsg
    • SQLite:sqlite_error_string(), sqlite_last_error()
    • SQLSRV:sqlsrv_errors()
    • mssql:mssql_get_last_message()
    • mysqli:mysqli_connect_errno(), mysqli_connect_error(), mysqli_errno(), mysqli_error(), $mysqli->connect_errno, $mysqli->connect_error, $myssqli->errno, $mysqli->error
    • mysql:mysql_error(), mysql_errno()
  3. Remove code that displays SQL error messages. Remove all calls to functions that may disclose SQL error messages or remove the code that displays those error messages.

Additional Resources

For more information about PHP database extensions, please see http://us.php.net/manual/en/refs.database.php

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics