Php Error Message Disclosure
Description
Detects PHP code that directly outputs SQL error messages to users through die() or exit() statements. This is a security risk because exposed database error messages can reveal sensitive information about database structure and query syntax that could be exploited by attackers.
Detection Strategy
• Identifies usage of PHP die() or exit() functions in the code
• Analyzes the arguments passed to these functions to check if they contain or expose SQL error messages
• Reports a vulnerability when SQL error information is directly passed to die() or exit() functions
• Checks for common patterns like passing mysqli_error() or PDO error messages directly to die()/exit()
Vulnerable code example
<?php
function get_user($userid) {
$mysqli = new mysqli("localhost", "username", "password", "database");
$query = "SELECT * FROM users WHERE id = " . $userid;
$result = $mysqli->query($query);
if (!$result) {
die($mysqli->error); // Vulnerable: Exposes database error messages to users...✅ Secure code example
<?php
function get_user($userid) {
$mysqli = new mysqli("localhost", "username", "password", "database");
if ($mysqli->connect_errno) {
error_log("DB connect error: " . $mysqli->connect_error); // Log errors server-side
return null;
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.