Disable Mysql Errors / Warnings

Question

sammry -3 Light Poster

12 Years Ago

When People are trying to insert an sql inection, that time mysql errors displays the table name with the column names, how can I turn off this, My site is built in MVC framework,

and this is how developers have queried the database,

$offset=0;
		if(isset( $_GET['offset']))
			$offset=$_GET['offset'];
		$array_list=$DB->q("select *,users.user_list_id from users  left join list_api on users.user_list_id=list_api.api_id  $like  order by    `user_id`  DESC limit  $offset,". $PerPage	);
		$view="views/a_list_users.html";

and I cant put @ to disable query, how do i handle this?

mysql

2 Contributors
8 Replies
2K Views
11 Hours Discussion Span
Latest Post 12 Years Ago Latest Post by sammry

smantscheff 265 Veteran Poster

12 Years Ago

You will have to modify your framework configuration or code. MySQL does not send any error messages to the web server if not explicitly requested. Look in the framework code for the function calls mysql_errno() or mysql_error() which will most probably lead you to the place which you will have to modify.

smantscheff 265 Veteran Poster

12 Years Ago

5 minutes ago I did not know that celeroo existed. Then I downloaded it and found

$result = mysql_query( $sql ) or die($sql.": ".mysql_error())

in celerooframe\inc\mysql_wrapper.php This is the line you will have to change to suit your needs.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

sammry -3 Light Poster · Answer 1 · 2012-03-15T21:37:04+00:00

Its a celeroo framework, do you have any idea on this?

sammry -3 Light Poster · Answer 2 · 2012-03-15T22:05:48+00:00

Thanks for your efforts and appreciate your help, added @ but still the error statement displayed, anything specific i need to add

smantscheff 265 Veteran Poster · Answer 3 · 2012-03-16T00:02:24+00:00

You obviously do not understand the code nor what you are doing.
@ suppresses PHP error messages.
The cited line displays MySQL error messages via PHP. Since no PHP error occurs, nothing get suppressed.
If you don't want to see any errors, delete the OR clause:

$result = mysql_query( $sql );

You won't see any SQL errors then, of course. Therefore in my projects I often add a conditional error display, depending on the login status or the client's IP.

sammry -3 Light Poster · Answer 4 · 2012-03-16T00:57:20+00:00

No I wanted to delete but was going through few other threads and sites, everywhere they had mentioned @ suppress, and I am not shy to accept it, yes, I did not know that i could delete it. Am a big learner and sincerely thank you for helping me out.

smantscheff 265 Veteran Poster · Answer 5 · 2012-03-16T01:45:12+00:00

Make sure that you have better instruments in place against SQL injection than just hiding column names. Security by obscurity does not work here.

sammry -3 Light Poster · Answer 6 · 2012-03-16T01:51:51+00:00

celeroo does that, but when I try with sql injections, it displays the table name with sql error, that was the reason, i wanted to hide the table and column names, thanks again for your support.