Majnoon wrote: ↑Sat Jan 28, 2023 9:23 am
Thanks guys.
Also can you tell me what do you do to save your db sql injection?
Because when ever someone tries to attack on my website and db throws this type of error.
[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
So its starts showing the password and username of DB.
That's a problem connecting to the database. It's not a direct result of an SQL injection. You can't inject SQL if there is no connection the database. Although it could be the result if an attack is overloading your site.
If you see the username and password of the database in the web browser, then check your error display settings. You need make sure display errors in set to off in all 3 places. Your PHP settings, in system/config/default.php and in the settings. Not only can this cause minor notices and warnings to cause bigger errors, it can also be a security risk.
1. In your PHP settings make sure display_errors is set to Off. Use
phpinfo() to check. It should be off by default, but there are lots of rubbish hosts out there.
2. In system/config/default.php set error_display to false.
3. In your OpenCart Setting on the server tab set Display Errors to No.
For more protection you can enable zend.exception_ignore_args in PHP 7.4 and greater.
https://www.php.net/manual/en/ini.core. ... gnore-args
to let them spend time on Youtube rather then looking into your admin XD
