Security problem with PHP7

[Yogensia]

I've noticed SMF2.0.13 does not support PHP7.0, however today I enabled PHP7 on my server just for testing and was treated to this error message:

Code Select Expand

Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /home/lalalala/lalalalla.net/foro/Sources/Subs-Db-mysql.php:58 Stack trace: #0 /home/lalalalala/lalalalla.net/foro/Sources/Load.php(2550): smf_db_initiate('mysql.lalalal...', 'mydbname', 'mydbusername', 'lalalaala', 'smf_', Array) #1 /home/lalalalla/lalalallal.net/foro/index.php(69): loadDatabase() #2 {main} thrown in /home/lalalalalalal/lalalalalalalla.net/foro/Sources/Subs-Db-mysql.php on line 58

Notice anything? Yeah, that's my database name, user and password (and part of the hostname) included in the error message shown in public when trying to access the forum. (of course in this post i've replaced everything with lalallala but you get the idea).

In my opinion, showing sensitive data such as the database credentials is a pretty severe security issue, even if it's only because of enabling PHP7, it should give a more graceful error.

[Gluz]

That is PHP missconfiguration by your host, unless you override the default options in the php.ini or user.ini in some hosts.

In a production site, PHP should not be showing any error like that to the user, just a blank page if it's a fatal error, showing errors directly to the user should be enabled only for test and troubleshoot errors but not in a production site, there should log the errors in the error_log or similar in your account.

[Arantor]

This will be fixed in 2.0.14 anyway when PHP 7 support is added but note that it isn't itself a bug that we'd fix; the patch would fix the undefined function, not work around whatever your host has done with PHP's configuration (which looks to be non-standard and non-production)

[Yogensia]

Ok, thanks for clarifying the source of the problem!