when the server has a connection problem, opencart returns with an error message, I would like to add a new code to hide the error of the database conect, it shows the password and user i want it not appear
i would like to add
PHP mysqli connect_error() Function
it should also be adaptable for OC-3, by possibly replacing the
Code: Select all
trigger_error('Error: Could not make a database link (' ....
https://github.com/open-cat/opencart-db-driver-fix
---
I created a VqMod out of it, to also work on OC v.1.5.6.x Versions:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<modification>
<id><![CDATA[Database Security Fix]]></id>
<version><![CDATA[OC v.1.5.6.5]]></version>
<vqmver><![CDATA[2.6.1]]></vqmver>
<author><![CDATA[open-cat - IP_CAM]]></author>
<email><![CDATA[webmaster@opencart.li]]></email>
<link><![CDATA[http://www.opencart.li]]></link>
<file name="system/database/mysqli.php">
<operation error="log">
<search position="replace"><![CDATA[trigger_error('Error: Could not make a database link (' . $this->link->connect_errno . ') ' . $this->link->connect_error);]]></search>
<add><![CDATA[die('Unable to connect to database');]]></add>
</operation>
<operation error="log">
<search position="replace"><![CDATA[trigger_error('Error: ' . $this->link->error . '<br />Error No: ' . $this->link->errno . '<br />' . $sql);]]></search>
<add><![CDATA[die('Unable to connect to database');]]></add>
</operation>
</file>
</modification>
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
with such problems, so I cannot really judge.
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
See here - https://github.com/opencart/opencart/is ... -545074292
also more recently there was a generic fix submitted on master branch which will exit() with a generic error . https://github.com/opencart/opencart/issues/8654, can easily be adapted to 3.0.x series.
In anycase display errors should be off when in production regardless.
Full Stack Web Developer :: Send a PM for Custom Work.
Backup and learn how to recover before you make any changes!
Найти:
if ($config->get('error_display')) { echo '<b>' . $error . '</b>: ' . $message . ' in <b>' . $file . '</b> on line <b>' . $line . '</b>'; }
Заменить на:
if ($config->get('error_display')) { if (strpos($message, $config->get('db_username')) !== false) { $message = 'База легла поспать!'; error_reporting(0); } echo '<b>' . $error . '</b>: ' . $message . ' in <b>' . $file . '</b> on line <b>' . $line . '</b>'; } else { error_reporting(0); }
didint work it shows error command line
// Error Reporting
ini_set('display_errors',1);
ini_set('display_startup_erros',1);
error_reporting(E_ALL);
to
// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_erros',off);
error_reporting(false);
it worked for me
It shows.Well, then publish a better solution. I seldom or never get confronted
with such problems, so I cannot really judge.
We created a static maintenance page (no database access required) and put it in our includes directory.
When we cannot establish a database connection, we show that page instead of a database error, those we write to the logs.
I.e., you never show technical errors to users and you do not throw exceptions you do not catch which is what happens when you simply copy classes from the internet and use them in OC production releases..
system/library/db.php
we use this for the construct function:
Code: Select all
public function __construct($adaptor, $hostname, $username, $password, $database, $port = NULL) {
$class = 'DB\\' . $adaptor;
if (class_exists($class)) {
$this->adaptor = new $class($hostname, $username, $password, $database, $port);
if (!$this->connected()) {
error_log('DB Error: No Connection, sending static maintenance page');
ob_start();
include(DIR_INCLUDES.'maintenance-en.html');
$maintenance_page = ob_get_clean();
http_response_code(503);
header('Retry-After: 300');
echo $maintenance_page;
exit();
}
} else {
error_log('DB Error: Could not load database adaptor '.$adaptor.', sending static maintenance page');
ob_start();
include(DIR_INCLUDES.'maintenance-en.html');
$maintenance_page = ob_get_clean();
http_response_code(503);
header('Retry-After: 300');
echo $maintenance_page;
exit();
}
}
system/library/db/mysqli.php
we use this for the construct function:
Code: Select all
public function __construct($hostname, $username, $password, $database, $port = '3306') {
$this->connection = new \mysqli($hostname, $username, $password, $database, $port);
if ($this->connection->connect_error !== NULL) {
error_log('DB Error: [' . $this->connection->connect_error . '] No: [' . $this->connection->connect_errno.']');
} else {
$this->connection->set_charset("utf8");
$this->connection->query("SET SQL_MODE = ''");
}
}
That will give you error logs like:
Code: Select all
[10-Oct-2020 03:57:52 UTC] DB Error: [No connection could be made because the target machine actively refused it.] No: [2002]
[10-Oct-2020 03:57:52 UTC] DB Error: No Connection, sending static maintenance page
and this:
[10-Oct-2020 03:58:52 UTC] DB Error: [Access denied for user 'root'@'127.0.0.1' (using password: YES)] No: [1045]
[10-Oct-2020 03:58:52 UTC] DB Error: No Connection, sending static maintenance page
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
Forgive me but this is a bad headache day so I am going to ask a dumb question....
The code you posted above you just replace the __construct functions you mention?
If so, seems like a good solution BUT why wasn't this done in the base OC code? Also I have never ran into this in as many years as I have been running OC... Is it possible I could have exposed passwords without knowing it happened?
Thanks,
Mike
P.S. I hate headaches so bad it makes me dumb ....
cue4cheap not cheap quality
should probably be:// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_erros',off);
error_reporting(false);
// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_errors',off);
error_reporting(false);
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
yesThe code you posted above you just replace the __construct functions you mention?
Alternatively, you can also put this in your catalog/controller/startup/startup.php, does the same.
Code: Select all
if (!$this->db->connected()) {
error_log('CCSS74: Error (01): Database not connected, maintenance page shown.');
error_log($_SERVER['REMOTE_ADDR'].' '.$_SERVER['REQUEST_URI'].' '.$_SERVER['HTTP_USER_AGENT']);
ob_start();
include(DIR_INCLUDES.'maintenance-en.html');
$maintenance_page = ob_get_clean();
http_response_code(503);
header('Retry-After: 300');
echo $maintenance_page;
exit();
}
You don't want me to answer that question.If so, seems like a good solution BUT why wasn't this done in the base OC code?
Not if you haven't displayed notice/warning and error messages.Also I have never ran into this in as many years as I have been running OC... Is it possible I could have exposed passwords without knowing it happened?
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
Hmm, not sure that's true.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Well, only in the UK's Covid 19 Track and Trace App, there it is OK.Hmm, not sure that's true.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
or then, it would not 'display' such 'content'. But since I was not able yet, to
reproduce something like that on my Screen, I cannot judge ...
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Then change code in system/library/db/mysqli.php
Code: Select all
public function __construct($hostname, $username, $password, $database, $port = '3306') {
try {
mysqli_report(MYSQLI_REPORT_STRICT);
$this->connection = @new \mysqli($hostname, $username, $password, $database, $port);
} catch (\mysqli_sql_exception $e) {
// what's in $e
//print_r($e);
// only show error message, died anyway
//die($e->getMessage());
// or throw new exeption and see how OC handles it: Dies with all login info shown on sccreen !!!!!!
throw new \Exception('Error: Could not make a database link using ' . $username . '@' . $hostname . '!');
}
$this->connection->set_charset("utf8");
$this->connection->query("SET SQL_MODE = ''");
}
Code: Select all
$this->connection = new \mysqli($hostname, $username, $password, $database, $port);
if ($this->connection->connect_error) {
die ('Error: Could not make a database link'); // still shows username @ server !!!!! Have to use Try !!!
//throw new \Exception('Error: ' . $this->connection->error . '<br />Error No: ' . $this->connection->errno);
}
Perhaps better to let die with text only ?
Code: Select all
die('Error: Could not make a database link!');
Users browsing this forum: OSWorX, paulfeakins and 409 guests