The problem is, its unclear when this error is thrown. I developed in Cake for over a year and still had this debug show in production. Its not a problem of being a good developer, it was a problem of debug being enabled at a certain point in the dispatch cycle and then turned off at another point, but the error being thrown while debug was still on. It was a problem with the order of operation, and the only way a good developer will know this process is when it happens to them, and that just might happen in prod. No developer will know about this unless they reverse engineered the whole dispatch cycle to see how and when this error is thrown.
http://milesj.me/blog/read/debug-off-prod-again On Jun 22, 10:08 am, majna <[email protected]> wrote: > How about to output debugger "Context" only for 127.0.0.1 ? > > On Jun 22, 7:02 pm, mark_story <[email protected]> wrote: > > > > > > > > > It is the developer's fault, for deploying a system in a way it should > > never be deployed. > > > Since, I was working under the pre-tense that any developer who > > actually cared about these kinds of things wouldn't make a stupid > > mistake like this. And combined with the fact that removing the > > passwords is a non-trivial problem, I punted on the issue. The place > > where this error gets displayed from is inside Debugger, and its more > > than non-trivial to filter through the various parts of output, > > looking for things that follow password, and cutting them out. While > > this is probably doable it will affect all the messages that Debugger > > will create. > > > I guess I underestimated the ability of people to screw up basic > > deployment. If someone want's to prepare a patch, I'd be happy to > > apply it so people who can't be bothered to properly deploy their > > applications, can sleep better at night. > > > -Mark > > > On Jun 21, 10:22 am, Miles J <[email protected]> wrote: > > > > I have brought this problem up before. Last time, the Cake devs said > > > it was the developers fault and it will stay in. > > > > -_- > > > > On Jun 21, 8:23 am, looklook look <[email protected]> wrote: > > > > > Now you got my point ;) > > > > > I have tried with google query to show database connection on Drupal, > > > > Codeigniter, Wordpress and many else. > > > > But yes, they can handle this database error carefully. > > > > > So, i think this is critical issue that should fixed immediatelly. > > > > > Thanks > > > > > Yodihttp://yoodey.com > > > > > On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch > > > > <[email protected]>wrote: > > > > > > OMG, > > > > > > I certainly could connect to __several__ mysql servers found with this > > > > > google query. > > > > > > Although I agree that this is a developer's mistake, I am sure that > > > > > there are a lot of unskilled developers that are doing this because > > > > > they > > > > > just dont know it better. So removing those values from the output > > > > > would > > > > > be a +1 from me. > > > > > > Regards, > > > > > Thomas > > > > > > Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: > > > > > > I'm intrigued by this issue. > > > > > > > Can someone explain what situations would the whole config var be > > > > > > output? Is it only when an error occurs, and only when at a certain > > > > > > debug level? I've never seen it displayed at all whilst developing > > > > > > with cakePHP. > > > > > > > Out of interested I googled the first part of the output, i.e. > > > > > > > $config = array( "persistent" => false, > > > > > > > and it certaintly suprised me how many sites this brings back with > > > > > > passwords on show. > > > > > > > On Jun 21, 12:46 pm, yodi <[email protected]> wrote: > > > > > > > Sorry, it was on random site build by CakePHP. > > > > > > > > To Euromark, i found more than 100 website affected with this > > > > > > > problem > > > > > > > and i don't have much time to email them all. > > > > > > > > I think, whether it debug > 0, Cakephp should'nt throw real > > > > > > > password > > > > > > > into CONTEXT. > > > > > > > > I try searching another CMS and Framework. Using same method, i > > > > > > > found > > > > > > > nothing of them show real password where database error connection > > > > > > > occured. > > > > > > > > Yes, this is security issued for me. Which there are many > > > > > > > developer > > > > > > > using CakePHP. > > > > > > > > To Larry, i can send you some message to show how much it's > > > > > > > affected. > > > > > It > > > > > > > can be consideration. > > > > > > > > Thanks > > > > > > > > On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: > > > > > > > > Are you saying this was on the CakePHP website or a random site > > > > > > > > you > > > > > > > > where visiting? > > > > > > > > > -- > > > > > > > > Larry E. Masters > > > > > > > > > On Mon, Jun 20, 2011 at 2:18 PM, yoodey <[email protected]> > > > > > > > > wrote: > > > > > > > > Hello all, > > > > > > > > > I'm randomly browsing and get a website with Database > > > > > > > > error > > > > > > > > connection. > > > > > > > > It gave me error page : Warning (2): mysql_connect() > > > > > > > > [function.mysql- > > > > > > > > connect]: Access denied for user ... > > > > > > > > > So i click on Context option and got this information. > > > > > > > > > $config = array( > > > > > > > > "persistent" => false, > > > > > > > > "host" => "xxxxxxxxxxxxxxxxxxx", > > > > > > > > "login" => "dbxxxxx", > > > > > > > > "password" => "dbtxxx", > > > > > > > > "database" => "dbxxxxx", > > > > > > > > "port" => "3306", > > > > > > > > "driver" => "mysql", > > > > > > > > "prefix" => "", > > > > > > > > "encoding" => "UTF8" > > > > > > > > ) > > > > > > > > > To avoid other people doing bad thing, i'm not showing > > > > > > > > real > > > > > > > > error > > > > > > > > information. > > > > > > > > > I'm doing mysql command based on that information and > > > > > > > > guest > > > > > > > > what? I > > > > > > > > got full access! > > > > > > > > Curious with this error, i'm doing little research and > > > > > > > > found > > > > > > > > more than > > > > > > > > 1000 website mysql root access. (there many others, but > > > > > > > > i too > > > > > > > > tired to > > > > > > > > check it one by one ). > > > > > > > > > This is very dangerous things which i'm big fans of > > > > > > > > CakePHP. > > > > > I > > > > > > > > working > > > > > > > > on 50K/day visitors website powered by CakePHP which i > > > > > > > > don't > > > > > > > > wanna > > > > > > > > this thing happen to me. > > > > > > > > > So, please tell me, which people in cakephp.org should > > > > > > > > be > > > > > > > > contacted > > > > > > > > because this issue. Opening ticket will leaked real > > > > > > > > information for > > > > > > > > the victim website. > > > > > > > > > Thanks > > > > > > > > > Yoodey > > > > > > > > > -- > > > > > > > > Our newest site for the community: CakePHP Video > > > > > > > > Tutorials > > > > > > > > http://tv.cakephp.org > > > > > > > > Check out the new CakePHP Questions site > > > > > > > > http://ask.cakephp.organdhelpotherswiththeir CakePHP > > > > > > > > related questions. > > > > > > > > > To unsubscribe from this group, send email to > > > > > > > > [email protected] For more options, > > > > > visit > > > > > > > > this group athttp://groups.google.com/group/cake-php > > > > > > > > > -- > > > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > > >http://tv.cakephp.org > > > > > > > > Check out the new CakePHP Questions > > > > > > > > sitehttp://ask.cakephp.organd > > > > > > > > help others with their CakePHP related questions. > > > > > > > > > To unsubscribe from this group, send email to > > > > > > > > [email protected] For more options, visit > > > > > > > > this > > > > > > > > group athttp://groups.google.com/group/cake-php > > > > > > -- > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > >http://tv.cakephp.org > > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > > > others with their CakePHP related questions. > > > > > > To unsubscribe from this group, send email to > > > > > [email protected] For more options, visit this > > > > > group > > > > > athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
