Security issue If OpenCart looses access to database , how can I secure this up?
5 days ago I was hit with a sql ransomware
Warning: mysqli::__construct(): (HY000/2002): Connection refused in /var/www/html/system/library/db/mysqli.php on line 7Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /var/www/html/system/library/db/mysqli.php on line 10Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /var/www/html/system/library/db/mysqli.php on line 10
Fatal error: Uncaught Exception: Error: <br />Error No: in /var/www/html/system/library/db/mysqli.php:10 Stack trace: #0 /var/www/html/system/library/db.php(31): DB\MySQLi->__construct('sql.locationhere', 'opencart', 'PlainTextPasswordhere', 'opencartdbnamehere', '3306') #1 /var/www/html/system/framework.php(80): DB->__construct('mysqli', 'sql.locationhere, 'opencart', 'PlainTextPasswordhere', 'opencartdbnamehere', '3306') #2 /var/www/html/system/startup.php(104): require_once('/var/www/html/s...') #3 /var/www/html/index.php(19): start('catalog') #4 {main} thrown in /var/www/html/system/library/db/mysqli.php on line 10
Probably you have wrong credentials or any other basic data, which is required to connect.
Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com
Then stop displaying errors/warnings and notices on production sites.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
In order to show the maintenance page when we cannot get a database connection and not some strange error message not intended for customers or a mere blank page, we simply store the html of the maintenance page in an include folder and show it as static html when there is no DB connection in startup.php
I.e. in the age of fake-news we introduce fake-maintenance (Trump will probably claim he invented that phrase)
I mean, we like to know when we have a problem but we do not necessarily like the customers to know.
and once again, never ever echo any error/warning/notice messages in production.
It is not only a potential security risk, it also looks bad for your customers and your search engine indexed page listings.
I.e. in the age of fake-news we introduce fake-maintenance (Trump will probably claim he invented that phrase)
Code: Select all
if (!$this->db->connected()) {
error_log('Error (01): Database not connected, maintenance page shown.');
ob_start();
include(DIR_INCLUDES.'maintenance-en.html');
$maintenance_page = ob_get_clean();
echo $maintenance_page;
exit();
}I mean, we like to know when we have a problem but we do not necessarily like the customers to know.
and once again, never ever echo any error/warning/notice messages in production.
It is not only a potential security risk, it also looks bad for your customers and your search engine indexed page listings.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
1. It looks like passwords are hardcoded rather than set in config.php? Why?MasterCATZ wrote: ↑Mon Sep 16, 2019 4:55 amSecurity issue If OpenCart looses access to database , how can I secure this up?
5 days ago I was hit with a sql ransomware
2. Turn off errors in production.
3. Contact these guys.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
@ letxobnav where do I place this?
there is two startup.php one on system/startup.php
and the other one on catalog/controller/startup/startup.php
there is two startup.php one on system/startup.php
and the other one on catalog/controller/startup/startup.php
Thanks for your response in advance!letxobnav wrote: ↑Mon Sep 16, 2019 12:34 pmIn order to show the maintenance page when we cannot get a database connection and not some strange error message not intended for customers or a mere blank page, we simply store the html of the maintenance page in an include folder and show it as static html when there is no DB connection in startup.php
I.e. in the age of fake-news we introduce fake-maintenance (Trump will probably claim he invented that phrase)
Code: Select all
if (!$this->db->connected()) { error_log('Error (01): Database not connected, maintenance page shown.'); ob_start(); include(DIR_INCLUDES.'maintenance-en.html'); $maintenance_page = ob_get_clean(); echo $maintenance_page; exit(); }
I mean, we like to know when we have a problem but we do not necessarily like the customers to know.
and once again, never ever echo any error/warning/notice messages in production.
It is not only a potential security risk, it also looks bad for your customers and your search engine indexed page listings.
i solved the problem, i have change somes files to error show false and the startup.php
// Error Reporting
ini_set('display_errors',1);
ini_set('display_startup_erros',1);
error_reporting(E_ALL);
to
// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_erros',off);
error_reporting(false);
it worked for me
// Error Reporting
ini_set('display_errors',1);
ini_set('display_startup_erros',1);
error_reporting(E_ALL);
to
// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_erros',off);
error_reporting(false);
it worked for me
Who is online
Users browsing this forum: gunownergear and 49 guests
