mlb
O' Great One
Posts: 20,326
Joined: Mar 2004
Reputation: 542
I Root For: Cincinnati
Location:
|
New issue... error giving out too much information
In my opinion anyway...
Quote:MyBB has experienced an internal SQL error and cannot continue.
SQL Error:
1053 - Server shutdown in progress
Query:
SELECT p.username AS postusername, p.uid, u.username, p.subject, p.pid, p.tid, p.ipaddress, t.subject AS threadsubject FROM mybb_posts p LEFT JOIN mybb_threads t ON (t.tid=p.tid) LEFT JOIN mybb_users u ON(p.uid=u.uid) WHERE longipaddress='1246984673' ORDER BY p.dateline DESC LIMIT 0, 50
Just my $.02... but I never want errors that give you an idea of your database design. I know the federal government considers it a huge security issue. I would change these errors to be generic and record the true error to another table in the database itself, or some other log, and not show the error to the end user.
|
|
12-29-2008 08:45 PM |
|
georgia_tech_swagger
Res publica non dominetur
Posts: 51,432
Joined: Feb 2002
Reputation: 2022
I Root For: GT, USCU, FU, WYO
Location: Upstate, SC
|
RE: New issue... error giving out too much information
MyBB is open source software.
Do we need to start open source vs proprietary debates?
|
|
12-30-2008 05:25 AM |
|
mlb
O' Great One
Posts: 20,326
Joined: Mar 2004
Reputation: 542
I Root For: Cincinnati
Location:
|
RE: New issue... error giving out too much information
Well... true I guess. I still wouldn't want to give out more information than you have to, gts.
|
|
12-30-2008 08:48 AM |
|
kingbutter
On A Roll
Posts: 668
Joined: Oct 2006
Reputation: 39
I Root For: NIU Huskies
Location:
|
RE: New issue... error giving out too much information
(12-29-2008 08:45 PM)mlb Wrote: In my opinion anyway...
Quote:MyBB has experienced an internal SQL error and cannot continue.
SQL Error:
1053 - Server shutdown in progress
Query:
SELECT p.username AS postusername, p.uid, u.username, p.subject, p.pid, p.tid, p.ipaddress, t.subject AS threadsubject FROM mybb_posts p LEFT JOIN mybb_threads t ON (t.tid=p.tid) LEFT JOIN mybb_users u ON(p.uid=u.uid) WHERE longipaddress='1246984673' ORDER BY p.dateline DESC LIMIT 0, 50
Just my $.02... but I never want errors that give you an idea of your database design. I know the federal government considers it a huge security issue. I would change these errors to be generic and record the true error to another table in the database itself, or some other log, and not show the error to the end user.
None of that info is private anyways. It's very apparent by looking at the footer that this board runs MyBB. Anyone can download MyBB and get the database model.
|
|
01-16-2009 10:25 AM |
|
Ryan Gordon
MyBB Lead Developer
Posts: 671
Joined: May 2007
Reputation: 40
I Root For: Programmers
Location:
|
RE: New issue... error giving out too much information
Obscurity is a weak form of security, which is why this isn't that big of a deal
|
|
01-16-2009 10:57 AM |
|
mlb
O' Great One
Posts: 20,326
Joined: Mar 2004
Reputation: 542
I Root For: Cincinnati
Location:
|
RE: New issue... error giving out too much information
Obscurity is certainly a weak form of security. And I didn't think about the software being open source when I made that post originally. However, best practices says you never give out more information than you need. It is common sense...
But, like said above, it is open source. If someone really wants to attack this site they will download the code and the database structure and go from there.
|
|
01-19-2009 12:24 PM |
|