Tip: Hide SQL Error Message
Hi,
I found the SQL error message from the MySQL database if the pg parameter in URL assigned with the invalid value. IMHO, this SQL error message should not be displayed to your web visitor for the security reason. Besides that, since it includes the table name, then it is unnecessary to display this error message to the visitor.
So I made modification in order to prevent displaying this SQL error message. Please visit this article:
http://www.openscriptsolution.com/2009/09/25/how-to-prevent-displaying-sql-error-message-in-pods-cms/
Hope this is helpful. Cheers!
4 Answers
@Masino - It's probably not the best idea to brush these MySQL errors under the rug. If you are seeing a MySQL error that you think is a bug with Pods, then let us know!
Your modification will also lead to undesired results, specifically with Javascript functions that use the text "Error:" to determine whether an action was successful.
@Matt,
Understood. That's why I made the option, when the site in the development mode, then this $show_error parameter set to true, and when the site in live or production mode, set it to false.
I think the best idea for this is to separate the Error function for Javascript and for SQL Query itself. Does it make sense for you?
@Masino - look at this example:
http://code.google.com/p/wp-pods/source/browse/trunk/core/manage_pages.php#64 (line 64)
Again, Javascript expects to receive the string, "Error", when something goes wrong. It's the javascript alert() that is what needs to be targeted, NOT pod_query() itself.
I think this would ideally involve replacing all instances of alert() with something like this:
<pre> <?php global $debug_mode; ?>
<script type="text/javascript"> function podsAlert(msg) { var debug_mode = "<?php echo $debug_mode; ?>"; if ("live" != debug_mode) { alert(msg); } } </script> </pre>
So, alert(msg) would become podsAlert(msg).
Thanks, Matt. That's what I mean. You are so genious! Keep up the good work.
