Author Topic: Security problem with PHP7  (Read 2739 times)

Offline Yogensia

  • Newbie
  • *
  • Posts: 2
Security problem with PHP7
« on: April 30, 2017, 02:40:07 AM »
I've noticed SMF2.0.13 does not support PHP7.0, however today I enabled PHP7 on my server just for testing and was treated to this error message:

Code: [Select]
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /home/lalalala/ Stack trace: #0 /home/lalalalala/ smf_db_initiate('mysql.lalalal...', 'mydbname', 'mydbusername', 'lalalaala', 'smf_', Array) #1 /home/lalalalla/ loadDatabase() #2 {main} thrown in /home/lalalalalalal/ on line 58
Notice anything? Yeah, that's my database name, user and password (and part of the hostname) included in the error message shown in public when trying to access the forum. (of course in this post i've replaced everything with lalallala but you get the idea).

In my opinion, showing sensitive data such as the database credentials is a pretty severe security issue, even if it's only because of enabling PHP7, it should give a more graceful error.

Online Gluz

  • Native Language Support Specialist
  • Sr. Member
  • *
  • Posts: 985
  • Gender: Male
Re: Security problem with PHP7
« Reply #1 on: April 30, 2017, 03:21:37 AM »
That is PHP missconfiguration by your host, unless you override the default options in the php.ini or user.ini in some hosts.

In a production site, PHP should not be showing any error like that to the user, just a blank page if it's a fatal error, showing errors directly to the user should be enabled only for test and troubleshoot errors but not in a production site, there should log the errors in the error_log or similar in your account.

Need help with PHP, HTML, CSS, Themes or MODs?

Think in spanish, habla en ingl├ęs.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,361
    • Arantor on GitHub
Re: Security problem with PHP7
« Reply #2 on: April 30, 2017, 05:15:14 AM »
This will be fixed in 2.0.14 anyway when PHP 7 support is added but note that it isn't itself a bug that we'd fix; the patch would fix the undefined function, not work around whatever your host has done with PHP's configuration (which looks to be non-standard and non-production)
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Yogensia

  • Newbie
  • *
  • Posts: 2
Re: Security problem with PHP7
« Reply #3 on: April 30, 2017, 07:38:41 AM »
Ok, thanks for clarifying the source of the problem!