If I forget to put the hostname in the mysql config (in sites/default/settings.php), the parse_url function at includes/database.mysqli.inc on line 63 will generate a warning which can allow everybody to see my password. Just add an @ before the function fix the problem.

The warning I get :
Warning: parse_url(mysqli://toto:azerty@/daemontux) [function.parse-url]: Unable to parse URL in /home/jonathan/public_html/daemontux.org/www/includes/database.mysqli.inc on line 63

Comments

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Title: mysql password visible to all when parse_url function fail » Password visible to all when parse_url function fail
Component: base system » database system
Priority: Critical » Normal

Moving this to the correct queue.

Instead of using @, I'd prefer to use something like valid_url() before calling parse_url to make sure the input is valid, but as there is a lot going on with the database system between D6 and D7, I'll let people who actually know what they're talking about handle this (or mark it won't fix / by design).

fizk’s picture

fizk CreditAttribution: fizk commented

This affects users of PHP prior to 5.3.3, as the E_WARNING that was emitted when URL parsing failed has been removed as of PHP 5.3.3.

Status: Active » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.