password error reveals confidential info

[Kino]

While it was a problem with my hosting accidentally deleting my database password, I got a real shock when I logged into LMPro and found it showing off my database login details (see error message below with my details removed):

Code: [Select]


Warning: mysql_connect(): Access denied for user: 'myuser' (Using password: YES) in /usr/sites/mydomain.com/www/mail/admin.php on line 2296
Could not connect to MySQL, host / user / pass = databasename / user / {password}
MySQL Error: Access denied for user: 'myuser' (Using password: YES)


Not sure if this is a problem that you can fix, but it would be good if my database password didn't show up when this kind of error happens. I'm very security conscious like most wise web types these days.

Thanks.

K

[DW]

You're right.  This error message is unnecessary and risky.

While most hosts deny MySQL connections from anything other than scripts on the local server, some allow remote access.  Plus, someone with a site on the server would be able to access your data with the information.

The code can be found at the bottom of admin.php:

Code: [Select]

$link = mysql_connect($sqlhost,$sqluser,$sqlpass) or die("Could not connect to MySQL, host / user / pass = $sqlhost / $sqluser / $sqlpass<br>MySQL Error: ".mysql_error());
Change it to this, removing the sensitive variables:

Code: [Select]

$link = mysql_connect($sqlhost,$sqluser,$sqlpass) or die("Could not connect to MySQL<br>MySQL Error: ".mysql_error());

Regards

[Kino]

That worked!

Thanks, Dean.