I have a simple website where I establish a connection to a MySQL server using PDO.
$dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306',
'USER',
'SECRET',
array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
I had some traffic on my site and the server’s connection limit was reached, and the website throws this error, with my plain password in it!
Fatal error: Uncaught exception
‘PDOException’ with message
‘SQLSTATE[08004] [1040] Too many
connections’ in
/home/domain/html/index.php:xxx
Stack trace: #0
/home/domain/html/index.php(64):
PDO->__construct(‘mysql:host=loca…’,
‘USER’, ‘SECRET’, Array) #1
{main} thrown in
/home/domain/html/index.php on
line 64
Ironically I switched to PDO for security reasons, so this really shocked me, because this exact error is something you can provoke very easily on most sites using simple HTTP flooding.
I have now wrapped my connection in a try/catch block, but still I think this is catastrophic!
I am new to PDO and so my question is: what do I have to do to consider to be safe? How do I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?
You should have
display_errors = offin your PHP.ini anyway to avoid this problem. Errors that reveal details like these come from many places, in addition to PDO.Yes, you should also have it in a try/catch block.
You can also
$pdo->setAttribute(PDO::ERRMODE_SILENT), but then you need to be checking the error codes manually rather than using a try/catch block. See http://php.net/manual/en/pdo.setattribute.php for more error constants.