I was wondering if it’s safe to display the error messages mySQL(i) returns (if any) on your website, or should I do this differently?
I have seen some forum arguments on MySQLi vs PDO and some say that it’s always safe to display MySQLi error messages, but since those are internet arguments, I don’t know how trustworthy that information is.
Can you help me with these queries? (Pun intended)
Advertisement
Answer
“safe” is always relative.
In general on the Internet, it’s best to assume you’re under attack from people who hate you and want to do bad things. They will use any information at all to hurt you.
MySQLi messages are basically the underlying engine’s error messages, and contain lots of helpful data for people who want to hurt you.
Showing “raw” error messages is a way they can hurt you more. “ooh – they’re out of disk space? Let’s queue up 77 million new requests. Oh, look, the server only accepts input in <> – let’s see how they do with Klingon.”
In general, put the detail in the server logs, and make the website as user friendly and non-specific as possible.