Author Topic: password error reveals confidential info  (Read 2779 times)

Kino

  • Posts: 31
    • View Profile
password error reveals confidential info
« on: December 07, 2004, 02:07:21 pm »
While it was a problem with my hosting accidentally deleting my database password, I got a real shock when I logged into LMPro and found it showing off my database login details (see error message below with my details removed):

Code: [Select]

Warning: mysql_connect(): Access denied for user: 'myuser' (Using password: YES) in /usr/sites/mydomain.com/www/mail/admin.php on line 2296
Could not connect to MySQL, host / user / pass = databasename / user / {password}
MySQL Error: Access denied for user: 'myuser' (Using password: YES)


Not sure if this is a problem that you can fix, but it would be good if my database password didn't show up when this kind of error happens. I'm very security conscious like most wise web types these days.

Thanks.

K

DW

  • Administrator
  • Posts: 3787
    • View Profile
    • https://legacy.listmailpro.com
password error reveals confidential info
« Reply #1 on: December 07, 2004, 02:17:23 pm »
You're right.  This error message is unnecessary and risky.

While most hosts deny MySQL connections from anything other than scripts on the local server, some allow remote access.  Plus, someone with a site on the server would be able to access your data with the information.

The code can be found at the bottom of admin.php:

Code: [Select]
$link = mysql_connect($sqlhost,$sqluser,$sqlpass) or die("Could not connect to MySQL, host / user / pass = $sqlhost / $sqluser / $sqlpass<br>MySQL Error: ".mysql_error());
Change it to this, removing the sensitive variables:

Code: [Select]
$link = mysql_connect($sqlhost,$sqluser,$sqlpass) or die("Could not connect to MySQL<br>MySQL Error: ".mysql_error());

Regards
Dean Wiebe
ListMailPRO Author & Developer - Help | Support | Hosting

Kino

  • Posts: 31
    • View Profile
password error reveals confidential info
« Reply #2 on: December 07, 2004, 03:26:58 pm »
That worked!

Thanks, Dean.