Description: ------------ Using PEAR::DB_DataObject 1.7.13, I put the full DSN in an INI file. The DSN includes the database password, of course. If there is a connection error (in this case, the database server went down), the first use of DB_DataObject results in an error message - raiseError() is getting called, which calls PEAR::raiseError(), which does kill the app (though the module docs seem to say the error isn't actually raised - confusing). This is all fine. But, when the error is raised, it's printed to the browser, and the error message produced by PEAR::DB contains the DSN, which contains the database password. So, when my database server went down, anyone coming to the site saw the database password. Reproduce code: --------------- In the .ini: [DB_DataObject] database = "mysql://user:pass@localhost/database" debug=0 ... In the code: ... $site = new RDBSites; // a DB_DataObject descendent. if ($site->get(1) != 1) die("Can't find the default site."); ... Expected result: ---------------- Returning FALSE from get() would be best, so I could handle the error myself. Dying with a descriptive error message output to the PHP log file with error_log(), and perhaps some user-friendly output to the browser like "Error connecting to the database," would also be fine. Dying with no error message at all would also be preferable. Actual result: -------------- Output to browser: DB_DataObject Error: [db_error: message="DB Error: connect failed" code=-24 mode=return level=notice prefix="" info=" [nativecode=Access denied for user: 'user@localhost' (Using password: YES)] ** mysql://user:pass@localhost/database"] (note the presence of the password)

Change from "Documentation" to "DB." You need to change your error reporting procedures. Use getMessage() instead of the more verbose getUserInfo() or getDebugInfo(). Example: <?php $db =& DB::connect($DSN, $options); if (PEAR::isError($db)) { echo $db->getMessage() . "\n"; } ?> Which outputs "DB Error: connect failed" on connection failure.

Sorry, I misassigned the package - this is against DB_DataObject, not DB, so danielc's comment doesn't apply. Or if you meant it to apply - DB_DataObject::get() is not returning, so I can't check its return code; it's raising an error that kills the script.

This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better. Message removed, and only available if you have debug=5 you can prevent it dieing by using the config setting dont_die = true - but you need to work out how to use pear error's handlers if you do this..

Looks good. Thanks!

thanks for patch I posted it on http://4browser.com/