Good time. Here I wanted to ask. It jumps out on my project such an error, let's say:

Warning: mysql_connect() [function.mysql-connect]: Access denied for user root'@'localhost' (using password: YES)

Well, by my carelessness, I incorrectly set the password. But bad uncle, can take advantage of this situation and please me with a clean database?

    2 answers 2

    • Of course, there is nothing to exploit directly here.

    • But, nevertheless, indirectly, it can help a potential attacker.

    • Having information about the fact that MySQL is being used and confirming that in the current configuration, error and warning-мессаджи are flying directly to the user, it becomes easier to conduct a SQL injection attack.

    • It is clear that opportunities for its implementation may not be, however, if somewhere there is still a vulnerable code, then the probability of its successful operation increases.

    • A small digression about the mysql_connect function in general - it is deprecated, respectively, you should not use it at all.

    • In general, there is information that the data transmitted during authentication via mysql_connect can be intercepted if MYSQL_CLIENT_SSL is not used with encrypted data transfer.

    I do not know how likely such an interception is in real life, but at least it is worth considering.

    • And what's the point of already conducting attacks like sql injection, if the server is already hacked, root access is stolen. Everything, good-bye, America: Having information about the use of MySQL and confirmation that in the current configuration, error and warning messages fly directly to the user, it becomes easier to carry out an SQL injection attack. Moreover, PHP even has a special function that, in smart hands, can reduce the likelihood of an attack such as the sql code injection - mysql_real_escape_string (). --- What about "she's deprecated," is that okay, cap? =) It became so with the advent of PDO, at a minimum. - Salivan
    • And MORE: In general, there is information that the data transmitted during authentication via mysql_connect can be intercepted if MYSQL_CLIENT_SSL is not used with encrypted data transfer. Oh really? Almost everything can be intercepted in some way if such a secure, encrypted SSL connection is not used. - Salivan
    • @Asen - It usually makes sense to finish reading the question at least to the end, the author wrote “Well, according to my lack of attention, I didn’t set the password correctly” and wondered what this might lead to. - I think that with the security of PHP + MySQL you can say a lot of things, besides mysql_real_escape_string, this will have a rather mediocre relation to the question. - Apparently, the author of the question does not know that mysql_connect, mysql_pconnect, ... are deprecated and what is obvious to you may not be entirely obvious to others. - Costantino Rupert
    • @Asen What is the purpose of these comments? :) If there are any factual errors in my answer, I am ready to discuss them. - Costantino Rupert
    • @ Kotik_khohet_kushat I can not even imagine how you can "incorrectly put the password ON INACCURACY . " In my opinion, this is some kind of nonsense ... --- There are no errors and can not be, since these are your arguments mainly. There are only small notes about which everything is described above. --- And by the way: I think that with regard to the security of PHP + MySQL you can say a lot of things ... I also do not quite agree. I agree that this "bundle" provides a lot of trouble and fuss with security, but in and of itself it is not important and full of holes. There are some vulnerabilities, but they are not fatal. - Salivan

    Hello!
    Any such messages are already a plus for the attacker. Put @ before the mysql_connect function so that it does not display messages or set up the display of informational messages (varings, errors, etc.) in php.ini. It is recommended at the development stage to include the output of all errors, and during operation it is better not to show such things.

    • He is what it is))) And before mysql_fetch_array (), or something like that, you also need to put @? - k0mar
    • @ before the function suppresses error output - ghost rider
    • And it is better not to use deprecated functions like mysql_connect , if you really use PHP. Even on php.net/mysql_connect a bold red warning hangs. - drdaeman