$Debug=2 will show login credentials if dbms failure

[dalers]

I tried accessing webERP before I had restored the database (i.e. the database was empty) and chrome showed me this? Is this too much information? Is this avoidable?

Server is xampp apache and MariaDb dev server on Windows configured to show errors (and http-only connection).

[timschofield]

I am guessing you havr xdebug or equivalent installed on your server. This should never be installed on a production server.

[dalers]

You guess correct @timschofield :-) xdebug is installed. I also agree it's generally not something you would normally have on a public facing production server (which this is not).

However, I don't understand what's actually happening here.

I'm assuming login fails because the www_users table doesn't exist but why does apache output my login parameters? Is it simply because error reporting is enabled and the error includes any parameters sent from the browser, and in this case, the parameters are my login credentials?

[timschofield]

The job of xdebug is to output information helpful in debugging problems. This information is typical of the output of xdebug.

[dalers]

It's not xdebug. Login credentials are still shown after disabling xdebug in php.ini and restarting Apache.

I'm guessing this is standard error output (and probably also how Apache renders data from xdebug). Enabling displaying errors in php.ini AND a dbms failure (or at least missing tables) will expose login parameters.

[timschofield]

Doesn't happen on my system here Dale. Without a debugger I just get the standard list of WARNING/DEPRECATED messages.

A function stack trace like that is the output of a debugger. PHP on it's own won't do that.

[dalers]

It appears that PHP can do this on its own. phpinfo() shows xdebug is not enabled.

The stack frame only appears when $Debug=2 in config.php.

It's not a problem, just worth being aware that setting $Debug=2 divulges login credentials if there is a dbms fault.

I was mistaken thinking the issue was related to error_reporting() (my config.php contains "error_reporting(E_ALL && ~E_NOTICE);").

When $Debug=0 the output is:

[timschofield]

OK, it doesn't do that for me, but I am using nginx. REmember all this is doing is mirroring back the info you entered, so it will only tell you the password if you entered it.

[pakricard]

@dalers : It is OK, and IMO, desirable.
$Debug = 2 for developing only, and $Debug = 0 for production sites, and the problem is solved.
But when you are debugging all informations available helps to find the culprit.

R

[dalers]

Another learning experience. :-) Behavior is expected and reasonable after understanding why. I'll change the title to be more descriptive and mark this discussion closed. Thanks for comments.