Commit cd62962f authored by Carsten  Rose's avatar Carsten Rose
Browse files

Security: hide $SQL in error messages to regular user

parent f5a0e285
......@@ -647,7 +647,7 @@ class QuickFormQuery {
// Load form
$constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1,
[$formName], 'Form not found or multiple forms with the same name.');
[$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.');
$form = $this->modeCleanFormConfig($mode, $form);
......
......@@ -187,7 +187,7 @@ class Database {
$count = $this->prepareExecute($sql, $parameterArray, $queryType, $stat);
if ($count === false) {
throw new DbException($specificMessage . "No idea why this error happens - please take some time and check this: $sql", ERROR_DB_GENERIC_CHECK);
throw new DbException($specificMessage . "No idea why this error happens - please take some time and check the problem.", ERROR_DB_GENERIC_CHECK);
}
if ($queryType === QUERY_TYPE_SELECT) {
......@@ -203,14 +203,14 @@ class Database {
if ($count === 0) {
$result = array();
} else {
throw new DbException($specificMessage . "Expected none record, got $count rows: $sql", ERROR_DB_TOO_MANY_ROWS);
throw new DbException($specificMessage . "Expected none row, got $count rows", ERROR_DB_TOO_MANY_ROWS);
}
break;
case ROW_EXPECT_1:
if ($count === 1) {
$result = $this->fetchAll($mode)[0];
} else {
throw new DbException($specificMessage . "Expected one record, got $count: $sql", ERROR_DB_COUNT_DO_NOT_MATCH);
throw new DbException($specificMessage . "Expected one row, got $count rows", ERROR_DB_COUNT_DO_NOT_MATCH);
}
break;
case ROW_EXPECT_0_1:
......@@ -219,13 +219,13 @@ class Database {
} elseif ($count === 0) {
$result = array();
} else
throw new DbException($specificMessage . "Expected zero or one record, got $count records: $sql", ERROR_DB_TOO_MANY_ROWS);
throw new DbException($specificMessage . "Expected zero or one rows, got $count rows", ERROR_DB_TOO_MANY_ROWS);
break;
case ROW_EXPECT_GE_1:
if ($count > 0) {
$result = $this->fetchAll($mode);
} else {
throw new DbException($specificMessage . "Expected at least one record, got nothing: $sql", ERROR_DB_TOO_FEW_ROWS);
throw new DbException($specificMessage . "Expected at least one row, got none", ERROR_DB_TOO_FEW_ROWS);
}
break;
......@@ -240,6 +240,10 @@ class Database {
$this->closeMysqliStmt();
$this->store->setVar(SYSTEM_SQL_RAW, '', STORE_SYSTEM);
$this->store->setVar(SYSTEM_SQL_FINAL, '', STORE_SYSTEM);
$this->store->setVar(SYSTEM_SQL_PARAM_ARRAY, '', STORE_SYSTEM);
return $result;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment