Home > OS >  Does returning mysqli_error() in console log pose website a security risk?
Does returning mysqli_error() in console log pose website a security risk?

Time:12-08

I have a simple website form through which a can input data (name, address, password, whatever - it is not important). I use a jQuery ajax call to send the submitted data to a PHP file that in turn, validates the data and adds it to a database.

Does returning mysqli_error() in the ajax results pose a security risk? For example, an error message may expose the database name or field names in the console log.

Is it acceptable in production or should I could send all errors to file with error_log().

CodePudding user response:

Yes, exposing this information poses a security risk. This applies to all PHP errors, not only mysqli ones. This is why you should disable display_errors in production.

Using mysqli_error() carries additional risk as the way you are using it probably does not obey that directive. If your code has any SQL injection, exposed errors are a cherry on top. They not only expose code, but also data.

The best way is to never use this function. Just enable automatic mysqli error reporting and treat them like any other PHP error. Even in development, it's unnecessary and cumbersome to check for errors manually.

  • Related