Author Topic: Security problem with PHP7  (Read 2963 times)

Offline Yogensia

  • Newbie
  • *
  • Posts: 2
Security problem with PHP7
« on: April 30, 2017, 02:40:07 AM »
I've noticed SMF2.0.13 does not support PHP7.0, however today I enabled PHP7 on my server just for testing and was treated to this error message:

Code: [Select]
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /home/lalalala/ Stack trace: #0 /home/lalalalala/ smf_db_initiate('mysql.lalalal...', 'mydbname', 'mydbusername', 'lalalaala', 'smf_', Array) #1 /home/lalalalla/ loadDatabase() #2 {main} thrown in /home/lalalalalalal/ on line 58
Notice anything? Yeah, that's my database name, user and password (and part of the hostname) included in the error message shown in public when trying to access the forum. (of course in this post i've replaced everything with lalallala but you get the idea).

In my opinion, showing sensitive data such as the database credentials is a pretty severe security issue, even if it's only because of enabling PHP7, it should give a more graceful error.

Offline Gluz

  • Sr. Member
  • ****
  • Posts: 985
  • Gender: Male
Re: Security problem with PHP7
« Reply #1 on: April 30, 2017, 03:21:37 AM »
That is PHP missconfiguration by your host, unless you override the default options in the php.ini or user.ini in some hosts.

In a production site, PHP should not be showing any error like that to the user, just a blank page if it's a fatal error, showing errors directly to the user should be enabled only for test and troubleshoot errors but not in a production site, there should log the errors in the error_log or similar in your account.

Need help with PHP, HTML, CSS, Themes or MODs?

Think in spanish, habla en inglés.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 69,458
    • StoryBB/StoryBB on GitHub
Re: Security problem with PHP7
« Reply #2 on: April 30, 2017, 05:15:14 AM »
This will be fixed in 2.0.14 anyway when PHP 7 support is added but note that it isn't itself a bug that we'd fix; the patch would fix the undefined function, not work around whatever your host has done with PHP's configuration (which looks to be non-standard and non-production)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Yogensia

  • Newbie
  • *
  • Posts: 2
Re: Security problem with PHP7
« Reply #3 on: April 30, 2017, 07:38:41 AM »
Ok, thanks for clarifying the source of the problem!