Uncaught PDOException reveals username and password

Question

try {
    self::$dbinstance = new PDO(
        "mysql:host=$c[host];dbname=$c[dbname]", $c['user'], $c['password']
    );

    self::$dbinstance->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} 
catch(PDOException $e) {
    echo "Errors" . $e->getMessage();
}

In the above code, if PDO fails to connect to the host, a fatal error reveals the username and password.

Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2003]
Can't connect to MySQL server on '172.25.102.65' (10060)' in
D:\xampp\htdocs\mytest\wh_client_2.1\classes\importmodule-class.php:33 Stack trace: #0
D:\xampp\htdocs\mytest\wh_client_2.1\classes\importmodule-class.php(33): PDO-
>__construct('mysql:host=172....', 'host', 'password') #1

One possible way is to turn the display_error=0 off in php.ini, but this way I won't able to know that when my host is not responding.

Is there a way I can modify the error message?

Answer 1

There is a difference between error handling and error reporting.

• Error handling is the process of preventing your end users to see any stack trace, vital information or automatically generated error messages. It can also modify the way your script runs by using a try catch block.
• Error reporting defines which information will be reported by a given script.

To handle errors properly, I think that ini_set('display_errors',0); is the better approach. You do not want any error message displaying on the screen.

However, I want to have all possible information on errors, so I use error_reporting(E_ALL);.

Errors are written in a file, error_log, which usually resides at the same level as your index.php (or any PHP file called directly). You can also access it from your cPanel.

---

Your error is probably uncaught because your code is in a namespace, whereas you want to catch the global namespace PDOException. Use a \ to indicate your script you're looking for the global PDOException. Once you catch your error, you can echo the content you want, using the normal methods of the PDOException class.

try {
    $db = new PDO (/*connection infos*/);
}
catch (\PDOException $e) {
    switch ($e->errorCode()) {
        case 'HY000':
        // Or whatever error you are looking for
        // here it's the general error code
            mail('[email protected]','connection problem',$e->getTraceAsString());
            $db = new PDO (/*rollback connection infos of a local database*/);
            break;
    }
}

That would send you a mail, containing the trace of the error, preventing your user from seeing it while telling you something is wrong.

Here is the reference for the error codes returned by PDO statements.