Security: hide $SQL in error messages to regular user

cd62962f · Carsten Rose · f5a0e285 · cd62962f · cd62962f
Commit cd62962f authored Feb 17, 2018 by Carsten Rose
--- a/extension/qfq/qfq/QuickFormQuery.php
+++ b/extension/qfq/qfq/QuickFormQuery.php
@@ -647,7 +647,7 @@ class QuickFormQuery {
        // Load form
        $constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below
        $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1,
-            [$formName], 'Form not found or multiple forms with the same name.');
+            [$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.');

        $form = $this->modeCleanFormConfig($mode, $form);


--- a/extension/qfq/qfq/database/Database.php
+++ b/extension/qfq/qfq/database/Database.php
@@ -187,7 +187,7 @@ class Database {
        $count = $this->prepareExecute($sql, $parameterArray, $queryType, $stat);

        if ($count === false) {
-            throw new DbException($specificMessage . "No idea why this error happens - please take some time and check this: $sql", ERROR_DB_GENERIC_CHECK);
+            throw new DbException($specificMessage . "No idea why this error happens - please take some time and check the problem.", ERROR_DB_GENERIC_CHECK);
        }

        if ($queryType === QUERY_TYPE_SELECT) {
@@ -203,14 +203,14 @@ class Database {
                    if ($count === 0) {
                        $result = array();
                    } else {
-                        throw new DbException($specificMessage . "Expected none record, got $count rows: $sql", ERROR_DB_TOO_MANY_ROWS);
+                        throw new DbException($specificMessage . "Expected none row, got $count rows", ERROR_DB_TOO_MANY_ROWS);
                    }
                    break;
                case ROW_EXPECT_1:
                    if ($count === 1) {
                        $result = $this->fetchAll($mode)[0];
                    } else {
-                        throw new DbException($specificMessage . "Expected one record, got $count: $sql", ERROR_DB_COUNT_DO_NOT_MATCH);
+                        throw new DbException($specificMessage . "Expected one row, got $count rows", ERROR_DB_COUNT_DO_NOT_MATCH);
                    }
                    break;
                case ROW_EXPECT_0_1:
@@ -219,13 +219,13 @@ class Database {
                    } elseif ($count === 0) {
                        $result = array();
                    } else
-                        throw new DbException($specificMessage . "Expected zero or one record, got $count records: $sql", ERROR_DB_TOO_MANY_ROWS);
+                        throw new DbException($specificMessage . "Expected zero or one rows, got $count rows", ERROR_DB_TOO_MANY_ROWS);
                    break;
                case ROW_EXPECT_GE_1:
                    if ($count > 0) {
                        $result = $this->fetchAll($mode);
                    } else {
-                        throw new DbException($specificMessage . "Expected at least one record, got nothing: $sql", ERROR_DB_TOO_FEW_ROWS);
+                        throw new DbException($specificMessage . "Expected at least one row, got none", ERROR_DB_TOO_FEW_ROWS);
                    }
                    break;

@@ -240,6 +240,10 @@ class Database {

        $this->closeMysqliStmt();

+        $this->store->setVar(SYSTEM_SQL_RAW, '', STORE_SYSTEM);
+        $this->store->setVar(SYSTEM_SQL_FINAL, '', STORE_SYSTEM);
+        $this->store->setVar(SYSTEM_SQL_PARAM_ARRAY, '', STORE_SYSTEM);
+
        return $result;
    }