CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Advanced:
filter database error message

 



btran007
Novice

Dec 2, 2014, 1:54 PM

Post #1 of 8 (14533 views)
filter database error message Can't Post

Hi everyone,

I am not advanced by any means but this is something I googled and failed finding an answer. I am looking to filter the database error message generated by DBI. I think I have everything covered as far as best practices for connecting and executing parameterized statements. Here is what I have:

$DBPTR = DBI->connect("dbi:Oracle", username, password) or die("Unable to connect to the database\n");

$sth->execute() or die "Can't execute SQL statement.\n";

I believe that should kill and log the application when error occurs. However, when running a web vulnerability scanner it still able to find the DBI error and code such as

ORA-12541: TNS:no listener
ORA-01017: invalid username/password;

How can I prevent the errors from returning back in the RESPONSE? Here is the response:


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<
...[SNIP]...
<input type="hidden" name="VS" value="ORA-12541: TNS:no listener&#10;" />
...[SNIP]...



Thanks
btran


FishMonger
Veteran / Moderator

Dec 2, 2014, 2:47 PM

Post #2 of 8 (14531 views)
Re: [btran007] filter database error message [In reply to] Can't Post

You're not providing enough of your code or explanation of what it's doing so it's impossible for us to say how to fix your problem.

One thing I can say is that in a web environment, you should not be using die() statements. You should trap errors and present a properly formatted error page.


btran007
Novice

Dec 2, 2014, 4:33 PM

Post #3 of 8 (14525 views)
Re: [FishMonger] filter database error message [In reply to] Can't Post

There's nothing special just connect to the database and execute a query. But I guess I have been doing it incorrect based on your statement. I will try to trap the errors and see if that helps.

Thanks
btran


FishMonger
Veteran / Moderator

Dec 2, 2014, 4:44 PM

Post #4 of 8 (14521 views)
Re: [btran007] filter database error message [In reply to] Can't Post

The DBI connect statement and its die statement would not produce the output you say you're getting. You obviously have something else going on which you haven't shown.


btran007
Novice

Dec 3, 2014, 6:52 AM

Post #5 of 8 (14506 views)
Re: [FishMonger] filter database error message [In reply to] Can't Post

This is my query. After looking at it more, I think the disconnect is not trapped. Should that be trapped?

my $sth = $DBPTR->prepare("SELECT STATE, COUNTY, COUNTY_NAME FROM COUNTIES");
$sth->execute() or die "Can't execute SQL statement\n";


while ( ($state, $county, $county_name)=$sth->fetchrow_array()) {

$tuple = sprintf("|%s|%s|%s",$state, $county, $county_name);

@items{$tuple} = $tuple;
push(@current_values, $tuple);
++$count;
}
END {
$DBPTR->disconnect if defined($DBPTR);
}

Thanks
btran


FishMonger
Veteran / Moderator

Dec 3, 2014, 7:18 AM

Post #6 of 8 (14503 views)
Re: [btran007] filter database error message [In reply to] Can't Post

Putting the disconnect in an END block would only be an issue if $DBPTR was not file scoped.

The 2 places where you need error trapping (in this code snippet) is on the prepare and execute statements. Using a die statement isn't error trapping, it throws an error. Instead of using die, you should call a sub that either generates or redirects to a proper error page.


btran007
Novice

Dec 3, 2014, 7:57 AM

Post #7 of 8 (14499 views)
Re: [FishMonger] filter database error message [In reply to] Can't Post

Can you expand how using die throws an error? I understood that it kills the process and logs it, correct?

Thanks
btran


FishMonger
Veteran / Moderator

Dec 3, 2014, 8:17 AM

Post #8 of 8 (14494 views)
Re: [btran007] filter database error message [In reply to] Can't Post

Poor choice of words on my part. It doesn't throw an error, it raises an exception.
http://perldoc.perl.org/functions/die.html

The die function does not do any logging. That part is left up to you (the coder).

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives