Commit cd62962f authored by Carsten  Rose's avatar Carsten Rose
Browse files

Security: hide $SQL in error messages to regular user

parent f5a0e285
...@@ -647,7 +647,7 @@ class QuickFormQuery { ...@@ -647,7 +647,7 @@ class QuickFormQuery {
// Load form // Load form
$constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below $constant = F_NAME; // PhpStorm complains if the constant is directly defined in the string below
$form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1, $form = $this->dbArray[$this->dbIndexQfq]->sql("SELECT * FROM Form AS f WHERE f.$constant LIKE ? AND f.deleted='no'", ROW_EXPECT_1,
[$formName], 'Form not found or multiple forms with the same name.'); [$formName], 'Form "' . $formName . '" not found or multiple forms with the same name.');
$form = $this->modeCleanFormConfig($mode, $form); $form = $this->modeCleanFormConfig($mode, $form);
......
...@@ -187,7 +187,7 @@ class Database { ...@@ -187,7 +187,7 @@ class Database {
$count = $this->prepareExecute($sql, $parameterArray, $queryType, $stat); $count = $this->prepareExecute($sql, $parameterArray, $queryType, $stat);
if ($count === false) { if ($count === false) {
throw new DbException($specificMessage . "No idea why this error happens - please take some time and check this: $sql", ERROR_DB_GENERIC_CHECK); throw new DbException($specificMessage . "No idea why this error happens - please take some time and check the problem.", ERROR_DB_GENERIC_CHECK);
} }
if ($queryType === QUERY_TYPE_SELECT) { if ($queryType === QUERY_TYPE_SELECT) {
...@@ -203,14 +203,14 @@ class Database { ...@@ -203,14 +203,14 @@ class Database {
if ($count === 0) { if ($count === 0) {
$result = array(); $result = array();
} else { } else {
throw new DbException($specificMessage . "Expected none record, got $count rows: $sql", ERROR_DB_TOO_MANY_ROWS); throw new DbException($specificMessage . "Expected none row, got $count rows", ERROR_DB_TOO_MANY_ROWS);
} }
break; break;
case ROW_EXPECT_1: case ROW_EXPECT_1:
if ($count === 1) { if ($count === 1) {
$result = $this->fetchAll($mode)[0]; $result = $this->fetchAll($mode)[0];
} else { } else {
throw new DbException($specificMessage . "Expected one record, got $count: $sql", ERROR_DB_COUNT_DO_NOT_MATCH); throw new DbException($specificMessage . "Expected one row, got $count rows", ERROR_DB_COUNT_DO_NOT_MATCH);
} }
break; break;
case ROW_EXPECT_0_1: case ROW_EXPECT_0_1:
...@@ -219,13 +219,13 @@ class Database { ...@@ -219,13 +219,13 @@ class Database {
} elseif ($count === 0) { } elseif ($count === 0) {
$result = array(); $result = array();
} else } else
throw new DbException($specificMessage . "Expected zero or one record, got $count records: $sql", ERROR_DB_TOO_MANY_ROWS); throw new DbException($specificMessage . "Expected zero or one rows, got $count rows", ERROR_DB_TOO_MANY_ROWS);
break; break;
case ROW_EXPECT_GE_1: case ROW_EXPECT_GE_1:
if ($count > 0) { if ($count > 0) {
$result = $this->fetchAll($mode); $result = $this->fetchAll($mode);
} else { } else {
throw new DbException($specificMessage . "Expected at least one record, got nothing: $sql", ERROR_DB_TOO_FEW_ROWS); throw new DbException($specificMessage . "Expected at least one row, got none", ERROR_DB_TOO_FEW_ROWS);
} }
break; break;
...@@ -240,6 +240,10 @@ class Database { ...@@ -240,6 +240,10 @@ class Database {
$this->closeMysqliStmt(); $this->closeMysqliStmt();
$this->store->setVar(SYSTEM_SQL_RAW, '', STORE_SYSTEM);
$this->store->setVar(SYSTEM_SQL_FINAL, '', STORE_SYSTEM);
$this->store->setVar(SYSTEM_SQL_PARAM_ARRAY, '', STORE_SYSTEM);
return $result; return $result;
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment