AAC MyAAC Leaking user/database password

[Baahzera]

Hello. I've found that when MyACC fails to connect to mysql server it displays error messages leaking database user and password.
I've supressed my infos from the error.

ERROR: Cannot connect to MySQL database.
Possible reasons:
MySQL is not configured propertly in config.lua.
MySQL server is not running.
PDOException: SQLSTATE[HY000] [2002] Connection refused in /var/www/.../system/libs/pot/OTS_DB_MySQL.php:139 Stack trace: #0 /var/www/.../system/libs/pot/OTS_DB_MySQL.php(139): PDO->__construct('mysql:dbname=be...', 'user', 'password', Array) #1 /var/www/.../system/libs/pot/OTS.php(374): OTS_DB_MySQL->__construct(Array) #2 /var/www/.../system/database.php(98): POT->connect(Array) #3 /var/www/.../system/init.php(125): require_once('/var/www/...') #4 /var/www/.../admin/index.php(25): require('/var/www/...') #5 {main}

This happens when the machine restarts. Apache starts before the mysql server, then the error with database information is displayed until the mysql server is up.

Does anyone knows how to fix this?

Hello again.
Forgot to mention that I've already set the config to production, so the errors should not be displayed.
I aparently managed to get rid of that error adding those lines to the file OTS_DB_MySQL.php at system/libs/pot.

                try {           parent::__construct('mysql:' . implode(';', $dns), $user, $password, array(
                        PDO::ATTR_PERSISTENT => $params['persistent']
                ));
                } catch (PDOException $e) {
                    print "Could not connect to database.";
                    die();
                }

If someone has a better solution that would be appreciated.

 

[LordVissie]

This is because the try and catch in combination with the PDO is set up wrong. It should actually be something like this:

try {          
    $pdo = new PDO('mysql:' . implode(';', $dns), $user, $password, [PDO::ATTR_PERSISTENT => $params['persistent']]);
));
} catch (PDOException $e) {
    print "Could not connect to database.";
    die();
}

But I'm not sure if it'll break some other stuff as I've no experience with this AAC.

You can set display_errors = off in your PHP.ini to avoid this error from showing. It's better to only do this on the production server.
You can also call: ini_set('display_errors',0); Before it tries to connect to the db. (Basicly does the same thing as display_errors = off)

 

[Baahzera]

This is because the try and catch in combination with the PDO is set up wrong. It should actually be something like this:

try {         
    $pdo = new PDO('mysql:' . implode(';', $dns), $user, $password, [PDO::ATTR_PERSISTENT => $params['persistent']]);
));
} catch (PDOException $e) {
    print "Could not connect to database.";
    die();
}

But I'm not sure if it'll break some other stuff as I've no experience with this AAC.

You can set display_errors = off in your PHP.ini to avoid this error from showing. It's better to only do this on the production server.
You can also call: ini_set('display_errors',0); Before it tries to connect to the db. (Basicly does the same thing as display_errors = off)

I've done exactly what you said about display_errors and init_set(), however, the error was still being showed.

The changes were made to this file: slawkens/myaac (https://github.com/slawkens/myaac/blob/master/system/libs/pot/OTS_DB_MySQL.php#L138)
You'll see that there's no exception handling there.
I also noticed that this AAC set automatically init_set() variable based on config.php/config.local.php if you set it's environment variable to prod.

Thank you for your answer and sugestion.

 

[LordVissie]

And if you do it like this?

try {          
    parent::__construct('mysql:' . implode(';', $dns), $user, $password, [
        PDO::ATTR_PERSISTENT => $params['persistent'],
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
    ]));
} catch (PDOException $e) {
    print "Could not connect to database.";
    die($e);
}