8

I'm getting mixed signals. The warning in the PDO documentation seems pretty clear that omitting the try-catch could compromise security. However, this thread suggests that it's not really necessary. In my opinion, it would be pretty annoying to wrap every query in a try-catch. Any advice on how to handle this?

Community
  • 1
  • 1
David Jones
  • 10,117
  • 28
  • 91
  • 139

3 Answers3

10

There is a security risk, but you don't need to add try/catch everywhere. The risk is that if you don't catch an exception then the error message from the exception (which could contain sensitive information) might be shown to users.

But as the documentation states, you can instead add an exception handler. By redirecting to a generic error message, you can avoid showing sensitive information from error messages to your users.

Setting a generic error handler would seem like a very sensible thing to do in any case. You don't want to be showing your users cryptic error messages. Even if you do go with the "try/catch everything" approach, it's difficult to be 100% sure that you've caught every possible exception that could occur, so the exception handler should still be used as a fallback.

Mark Byers
  • 811,555
  • 193
  • 1,581
  • 1,452
  • Thanks everyone for your answers! It was hard to choose just one, but Mark was first and his advice was sound. – David Jones Jun 30 '12 at 05:56
  • One more question for you. Would I use the set_exception_handler method on every page or just once per session? – David Jones Jun 30 '12 at 05:58
  • @danielfaraday: once per session. – Lior Cohen Jun 30 '12 at 19:21
  • @LiorCohen afaik you do have to call set_exception_handler with every request, that setting can't possibly persist between requests. – Mahn Sep 04 '12 at 18:54
  • @Mahn: that's what I meant... Obviously program volatile state would not persist between requests. My assumption is that people looking into PDO and exceptions already know PHP ;-) – Lior Cohen Sep 04 '12 at 21:10
  • @LiorCohen k, I just mentioned it because David question did read to me something like "Should I use it with every request or just once every new (PHP) session?" when I saw it, but I guess it's possible he meant whether to use it with every include/require or just once in the whole app. – Mahn Sep 04 '12 at 21:35
3

PDO has three configurable error modes. The default is just to set an error code, not throw an exception.

However, you should use PDO::ERRMODE_EXCEPTION. The way PHP and PDO normally handle errors (i.e., to silently press on with the code and do the wrong thing without telling you) is absolutely crazy and a big reason for PHP's horribleness.

If something goes wrong with your query, the right thing to do is stop execution and throw an exception so you have a clear traceback and can find and fix the problem.

Plus, it's much easier (i.e., less "annoying") to use try-catch than it is to check errorCode and errorInfo after every single query. You should only use try-catch if you expect the possibility of the error and can do something about it--otherwise you should just let the exception bubble up. If it is an unexpected error, it's probably from a bug in your code and you should know about it via the exception so you can fix it!

If you want to do something special with reporting the exception (e.g. pretty-print it, send you an email, whatever), then register a default exception handler to take care of any uncaught exceptions. On a production system you should register a default exception handler that displays a generic 500 page and is light on error details, and log the full traceback somewhere else for debugging.

Francis Avila
  • 31,233
  • 6
  • 58
  • 96
1

If an error can occur, then it eventually will. You need to handle any potential error your PDO queries can generate regardless of the environment you're running on. Making the assumption (as the guys in the thread you've posted did) that since this is a production system, try..catch is not necessary is foolish, IMHO. Errors are not only thrown while you're debugging code, but can also take place on a production system. Personally, I like having context around the errors I see in my logs, so I do actually use try..catch around my queries.

This also has nothing to do with the errors you end up presenting to your users. I find that using the word security makes things vague in this context. Your system should never show cryptic error messages (that could potentially include sensitive data) to users, regardless of how you handle errors (this isn't PDO specific).

There are several ways to handle this:

  1. Create a function to do your PDO queries for you by passing a prepared statement that has everything already bound to it.
  2. Create a global exception handler and catch any exceptions there (I don't like this approach since you end up losing context... what error do I show the user if this got caught in some global handler? How do you backtrack from such an error if it was caught in some global context?).
  3. Initialize PDO not to throw exceptions and do manual error checking, if that's your poison. Personally, I find that exceptions mesh better with an OOP based system, but to each his own.

My 2c.

Lior Cohen
  • 8,985
  • 2
  • 29
  • 27