[#14217] - Handle SQL errors with a generic message
- Fixed in Code Base
- 9 Mar 2017
- Medium
- Build: staging
- # 14217
- Diff
- zero-24:sqlfield
User tests: Successful: Unsuccessful:
Pull Request for Issue #14215
Summary of Changes
on error show generic message (JLIB_DATABASE_GENERIC_SQL_ERROR) and log the actual message
Configure a SQL field with a crap sql query
Like:
Expected result
That no structure of my mysql tables is leaked to end users no matter what error SQL comes up with
Actual result
Leaking of parts of the SQL query, which may contain field names, and the raw mysql error message
Documentation Changes Required
Votes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
| Labels |
Added:
?
|
||
ah....
I now get:
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/14217.
Imho just showing a message "An error has occurred." is a bit to generic. Can't we add a new string which gives the user a clue what happend? Maybe "An error occured with the database query in the 'foo' field, please notify the administrator" or something. The name of the field could be injected into the string so one at least knows where to look for,
The WHOLE POINT is that we DONT tell ANYONE what the column names in the tables are
Saying An error occured with the database query in the **'foo' field** is saying too much!
The "foo field" refers to the name of the custom field, not the database field.
I have tested this item succesfully.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/14217.
RTC cause 2 successfully Tests?
I agree with Bakual. We could have a new string before RC1 when we will freeze languages.
I agree that we should hide errors about sql structure for end users.
But I want to have somewhere a reference what went wrong.
Can we add some log (or may I miss, where is it?) or simple code like:
JFactory::getApplication()->enqueueMessage(JText::_('JERROR_AN_ERROR_HAS_OCCURRED'), 'error');
trigger_error($e->getMessage()); // It generates a php notice
Using the JLog API you can either add a logger for the existing categories used to record errors or add your own logger subclass to do something like call trigger_error() (or really anything you choose).
Unrelated. I have found that I have to:
- enable "Plugin: System - Debug"
- set
Log Categoriestodatabase-error - and set
Log Almost EverythingtoYes - now I can see sql errors in administrator/logs/everything.php
I thing that should be more simpler and won't require debug plugin which slow down production server.
But it is an idea for another PR.
To do it with the core distribution and no extra tools, you're right. But the platform is already there to support you adding your own plugin to catch messages logged with JLog::add() and handle them as you please. I don't think we need to work through core and add trigger_error() or error_log() calls every place an error condition is handled to push the condition to PHP's error handler.
Yes, I full agree. I mentioned about trigger_error() before I found above described settings in debug plugin.
| Status | Pending | ⇒ | Ready to Commit |
RTC based on the tests by @slibbe and @PhilETaylor if you want to ship a new language string we can do this in another PR
Thanks for testing.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/14217.
wilsonge
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-03-09 16:45:05 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
This PR has commit c509358 which is not part of this issue