When People are trying to insert an sql inection, that time mysql errors displays the table name with the column names, how can I turn off this, My site is built in MVC framework,

and this is how developers have queried the database,

$offset=0;
		if(isset( $_GET['offset']))
			$offset=$_GET['offset'];
		$array_list=$DB->q("select *,users.user_list_id from users  left join list_api on users.user_list_id=list_api.api_id  $like  order by    `user_id`  DESC limit  $offset,". $PerPage	);
		$view="views/a_list_users.html";

and I cant put @ to disable query, how do i handle this?

You will have to modify your framework configuration or code. MySQL does not send any error messages to the web server if not explicitly requested. Look in the framework code for the function calls mysql_errno() or mysql_error() which will most probably lead you to the place which you will have to modify.

Its a celeroo framework, do you have any idea on this?

5 minutes ago I did not know that celeroo existed. Then I downloaded it and found

$result = mysql_query( $sql ) or die($sql.": ".mysql_error())

in celerooframe\inc\mysql_wrapper.php This is the line you will have to change to suit your needs.

Thanks for your efforts and appreciate your help, added @ but still the error statement displayed, anything specific i need to add

You obviously do not understand the code nor what you are doing.
@ suppresses PHP error messages.
The cited line displays MySQL error messages via PHP. Since no PHP error occurs, nothing get suppressed.
If you don't want to see any errors, delete the OR clause:

$result = mysql_query( $sql );

You won't see any SQL errors then, of course. Therefore in my projects I often add a conditional error display, depending on the login status or the client's IP.

No I wanted to delete but was going through few other threads and sites, everywhere they had mentioned @ suppress, and I am not shy to accept it, yes, I did not know that i could delete it. Am a big learner and sincerely thank you for helping me out.

Make sure that you have better instruments in place against SQL injection than just hiding column names. Security by obscurity does not work here.

celeroo does that, but when I try with sql injections, it displays the table name with sql error, that was the reason, i wanted to hide the table and column names, thanks again for your support.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.