Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.If call site with unknown taxonomy id, for example:
http://drupal.org/taxonomy/page/or/zzz/
Site produces SQL-errors:
user error: Unknown column 'zzz' in 'where clause'
query: SELECT COUNT(DISTINCT(n.nid)) FROM node n INNER JOIN term_node r ON n.nid = r.nid INNER JOIN users u ON n.uid = u.uid WHERE r.tid IN (zzz) AND n.status = '1' in /var/www/drupal.org/includes/database.mysql.inc on line 90.
user error: Unknown column 'zzz' in 'where clause'
query: SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n INNER JOIN term_node r ON n.nid = r.nid INNER JOIN users u ON n.uid = u.uid WHERE r.tid IN (zzz) AND n.status = '1' ORDER BY static DESC, created DESC LIMIT 0, 6 in /var/www/drupal.org/includes/database.mysql.inc on line 90.
I think this is a small security hole - must not shows any sql errors, when sql called with bad parameters.
Comments
Comment #1
moshe weitzman commentedThese error messages are meant to be seen by web developers, not end users. You should turn off the display of all errors on a production site, particularly if you are concerned about disclosing information about your site. This recommended php.ini distributed with PHP does this already See display_errors in your manual.
Comment #2
killes@www.drop.org commentedPatch 0142 in for_review fixes this.