Handling database errors

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Handling database errors

Post by social_experiment »

I've created a database connection class that is extended by a search class. The database class throws an exception when any database connection and selection errors occur.

The working of the search class is dependant on the availability of the database so i thought about modifying the database connection class not to display an error message when it fails but to create an error array, containing any errors returned from database connection / select issues. Based on the presence of this array the search class will then display (or not display) the search from. Should the form be absent there will be an error message displayed to notify users that the search option is unavailable. To notify me about the error i have an error reporting option (via email) in place.

My thinking behind this is that i don't want visitors to know specifics (such as an unavailable database) about why the search option isn't working; they should only know that it isn't available. By not displaying the search form i am also limiting errors resulting from functions such as mysqli_real_escape_string() or mysqli_query(); I do use the error control operator but i would rather prevent the error from happening than letting it die quietly.

Is this approach valid or should i rethink it?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Handling database errors

Post by Christopher »

It sounds like a valid approach. We recently had a conversation about this for the Skeleton Framework and decided to use error numbers (while still providing access to error strings). The idea was to disconnect the errors that occurred from how you present the response to the user. Error numbers would also help with i18n.
(#10850)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Handling database errors

Post by Mordred »

You should *never* display raw error messages as coming from the database, could be a security risk. There is a class of attacks that rely on reflected error messages to leech data after SQL injection. Also it is of zero usefulness to the end user. Your approach with hiding the form seems nice, although a bit "too much work" for my taste. If you can't connect to the database, probably a large portion of your site wouldn't work anyway. Better show an all-in-one error splash and email the admin.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Handling database errors

Post by social_experiment »

Mordred wrote:You should *never* display raw error messages as coming from the database, could be a security risk.
My thoughts exactly;
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
kon
Forum Newbie
Posts: 19
Joined: Sat Mar 03, 2012 5:43 am

Re: Handling database errors

Post by kon »

I use the same approach that Mordred suggested. If something has gone wrong with database connection a “friendly” error splash appears and a special log is written in server to let me know all about that exception (of course not in public_html). Recently I added a service sending me SMS in those kind of exceptions.
whiterainbow
Forum Newbie
Posts: 11
Joined: Fri Mar 18, 2011 9:13 am

Re: Handling database errors

Post by whiterainbow »

Agreed, I'd always opt for a generic connectivity message that hides all connection information, and specific error messages within the application itself. Raw error messages are one of the worst things a developer can do to a user!
Post Reply