Joomla! Issue Tracker | Joomla! CMS #13356 - Do not include the SQL query in the Exception message

Fixed in Code Base
2 Jan 2017
Medium
Build: staging
# 13356
Diff
mbabker:no-sql-in-message

Success

Success continuous-integration/drone the build was successful Details
Success continuous-integration/travis-ci/pr The Travis CI build passed Details
Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details

User tests: Successful: Unsuccessful:

mbabker
23 Dec 2016

Summary of Changes

Including the SQL query in the Exception message is a mild information disclosure in that it displays to the user the failed SQL query and exposes information about the database structure. This PR removes the query from the Exception message retaining only the engine's error message.

The JDatabaseExceptionExecuting object has a $query property (accessible via getQuery()) that contains the failed SQL query. For debugging purposes, if you need access to the failed query, you should extract it from the Exception's property versus relying on the message.

Testing Instructions

Create a query failure that triggers the error page. Pre-patch, the error message will contain the query. Post-patch, it will not.

Documentation Changes Required

Note that the query is not exposed as part of the Exception message any longer, developers must read it from the JDatabaseExceptionExecuting object's $query property.

mbabker - open - 23 Dec 2016

mbabker - change - 23 Dec 2016

Status

New

⇒

Pending

joomla-cms-bot - change - 23 Dec 2016

Category

⇒

Libraries Postgresql MS SQL

fastslack - comment - 23 Dec 2016

@test I used a cli script to test this and works as expected using MySQL database.

Executed script before patch:

$ ./Issue13356
Unknown column 'noexists' in 'where clause' SQL=SELECT * FROM #__users WHERE noexists = 0

Executed script after patch:

$ ./Issue13356
Unknown column 'noexists' in 'where clause'

Script used here: https://github.com/fastslack/joomla-cli-tools/blob/master/JoomlaTests/issue-13356/Issue13356

bembelimen - comment - 23 Dec 2016

I have tested this item ✅ successfully on 65ea823

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13356.}

bembelimen - test_item - 23 Dec 2016 - Tested successfully

alikon - comment - 24 Dec 2016

same as #10949

5386864 30 Dec 2016

Do not include the SQL query in the Exception message

mbabker - comment - 30 Dec 2016

Didn't remember that was there. Either way the change needs to be merged in sooner than later. I don't know why there's a bad test on that other PR because there is no code change to duplicate the error output.

ralain - comment - 30 Dec 2016

I have tested this item ✅ successfully on 5386864

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13356.}

ralain - test_item - 30 Dec 2016 - Tested successfully

alikon - comment - 30 Dec 2016

fully agree, i close mine in favour of this one.

p.s.
the bad test on the other one should be because of the tested query was executed twice

alikon - comment - 30 Dec 2016

I have tested this item ✅ successfully on 5386864

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13356.}

alikon - test_item - 30 Dec 2016 - Tested successfully

jeckodevelopment - change - 30 Dec 2016

Status

Pending

⇒

Ready to Commit

jeckodevelopment - comment - 30 Dec 2016

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13356.}

jeckodevelopment - change - 30 Dec 2016

Milestone

Added:

rdeutz - change - 2 Jan 2017

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2017-01-02 00:57:40
Closed_By		⇒	rdeutz

rdeutz - close - 2 Jan 2017

rdeutz - merge - 2 Jan 2017

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#13356] - Do not include the SQL query in the Exception message

Summary of Changes

Testing Instructions

Documentation Changes Required

Add a Comment