Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If I forget to put the hostname in the mysql config (in sites/default/settings.php), the parse_url function at includes/database.mysqli.inc on line 63 will generate a warning which can allow everybody to see my password. Just add an @ before the function fix the problem.
The warning I get :
Warning: parse_url(mysqli://toto:azerty@/daemontux) [function.parse-url]: Unable to parse URL in /home/jonathan/public_html/daemontux.org/www/includes/database.mysqli.inc on line 63
Comments
Comment #1
mr.baileysMoving this to the correct queue.
Instead of using @, I'd prefer to use something like valid_url() before calling parse_url to make sure the input is valid, but as there is a lot going on with the database system between D6 and D7, I'll let people who actually know what they're talking about handle this (or mark it won't fix / by design).
Comment #2
fizk CreditAttribution: fizk commentedThis affects users of PHP prior to 5.3.3, as the E_WARNING that was emitted when URL parsing failed has been removed as of PHP 5.3.3.