• Guest, before posting your code please take these rules into consideration:
    • It is required to use our BBCode feature to display your code. While within the editor click < / > or >_ and place your code within the BB Code prompt. This helps others with finding a solution by making it easier to read and easier to copy.
    • You can also use markdown to share your code. When using markdown your code will be automatically converted to BBCode. For help with markdown check out the markdown guide.
    • Don't share a wall of code. All we want is the problem area, the code related to your issue.


    To learn more about how to use our BBCode feature, please click here.

    Thank you, Code Forum.

Do Not Share SQL Errors On Page

Ghost

Ghost

King Coder
I noticed recently that a popular forum (Forum Promotion) is erroring because the database cannot be reached. There is either an incorrect setting in the config file, or the database server is down. Either way, I noticed that the page is showing us the real error. This is not a great idea because the "end user" does not need to know the "true error". A simple "this site is unavailable at this time" will suffice. When you share a database error with visitors, you open up the opportunity for your server to be hacked. Although my example (seen in picture below) is not very specific and is not easy to exploit / hack, it's a great example of "over sharing" error messages with the public.

A connection refused error is commonly associated with an incorrect setup file. Most likely there was a password change, a change to the server firewall, or a general outage with the database. However, why would this error be shown to a user? It serves no purpose. If a visitor cannot access the site, there is absolutely no reason for them to see that there was a connection refusal error on "line 1626" (seen in example below...). A basic unavailable message, maintenance warning, or general alert would be just fine...

Anyways - what are all of your thoughts on sharing the "exact reasons" for downtime, server outages, etc with your community or site visitors? I personally think that it's important to hide the real errors so that only site developers can view them... and use generic error messages for users so that no potential security flaws are exposed by public error messages.

forum-promotion-down-error.png
 
Sort by date Sort by votes
I 100% agree with you, we had it originally to one IP. But then somehow WHM failed to load properly and all access through putty was no longer working. I’m assuming a function was updated during the server update and we didn’t know it was a problem until that function was called upon. Everything was failing so we couldn’t access the server until the person who managed the server was able to log on and reboot the server.
 
Upvote 0 Downvote
Oh yeah, you definitely don't want to be exposing explicit error messages like that to the public. I'm sure theres a few ways you can hide errors like this.
 
Upvote 0 Downvote
I have no experiences working with databases, however, I remember when the now essentially dead, YTMND.com, went down for a while, it first started with showing the errors and where it was in the file that errors where occurring. Later on, the guy who runs the site fixed it to tell the users that they were trying to patch the issues. Yet, it took ages for the errors to be hidden, and the site itself took over a year to start back up.

I have never really considered(or even thought about) displaying the errors to be an issue, because again, I haven't worked with databases before. But after reading, I now see the problem.

I believe one should be transparent with what issues are occurring behind the scenes. If it's a database issue, tell the users that it's a problem with the database. If there is a heavy-load of traffic coming in, let the users know that it's because of how much traffic is coming in. If the site is being renovated, let the users know it's being renovated. Transparency is key to user trust.

When it does come to error messages, I do believe a standard 404-page is fine, yet it should be customised a little bit to display what's wrong. If you know what the error number means, then tell the user(who won't know what the error means) what the number means.
 
Upvote 0 Downvote
Ghost said:
I noticed recently that a popular forum (Forum Promotion) is erroring because the database cannot be reached. There is either an incorrect setting in the config file, or the database server is down. Either way, I noticed that the page is showing us the real error. This is not a great idea because the "end user" does not need to know the "true error". A simple "this site is unavailable at this time" will suffice. When you share a database error with visitors, you open up the opportunity for your server to be hacked. Although my example (seen in picture below) is not very specific and is not easy to exploit / hack, it's a great example of "over sharing" error messages with the public.

A connection refused error is commonly associated with an incorrect setup file. Most likely there was a password change, a change to the server firewall, or a general outage with the database. However, why would this error be shown to a user? It serves no purpose. If a visitor cannot access the site, there is absolutely no reason for them to see that there was a connection refusal error on "line 1626" (seen in example below...). A basic unavailable message, maintenance warning, or general alert would be just fine...

Anyways - what are all of your thoughts on sharing the "exact reasons" for downtime, server outages, etc with your community or site visitors? I personally think that it's important to hide the real errors so that only site developers can view them... and use generic error messages for users so that no potential security flaws are exposed by public error messages.

View attachment 422
Click to expand...
Wasn't me, I swear... lol
On a more serious note.. wouldn't mind helping out with security if need be :)
 
Upvote 0 Downvote
Top Bottom