Home > WordPress > How to Prevent Displaying SQL Error Message in Pods CMS

How to Prevent Displaying SQL Error Message in Pods CMS

September 25th, 2009 Masino Sinaga Leave a comment Go to comments

I have been running Pods CMS version 1.7.3 on this blog. So far so good, until I found a SQL error if the pg parameter in URL assigned with invalid value. For example, the proper value should be 1, 2, and so on, then you assign this parameter with non-numerical value, such as aa, etc. The message error that shown up contains of the MySQL Query including the table name. In my humble opinion, this error message should not be displayed on the client’s browser page for the security reason. So, I made modification to prevent displaying this SQL Error Message on functions.php file of this Pods CMS.

  1. Open your \pods\core\functions.php file, and find this code:

    12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

    function pod_query($sql, $error = 'SQL failed', $results_error = null, $no_results_error = null)
{
    global $table_prefix;
 
    $sql = str_replace('@wp_', $table_prefix, $sql);
 
    $result = mysql_query($sql) or die("Error: $error; SQL: $sql; Response: " . mysql_error());
    if (0 < @mysql_num_rows($result))
    {
        if (!empty($results_error))
        {
            die("Error: $results_error");
        }
    }
    else
    {
        if (!empty($no_results_error))
        {
            die("Error: $no_results_error");
        }
    }
 
    if ('INSERT' == substr(trim($sql), 0, 6))
    {
        $result = mysql_insert_id();
    }
    return $result;
}

    then replace with this following code:

    12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

    function pod_query($sql, $error = 'SQL failed', $results_error = null, $no_results_error = null, $show_error=false)
{
    global $table_prefix;
 
    $sql = str_replace('@wp_', $table_prefix, $sql);
 
    // Check whether the SQL error message will be displayed or not, added by Masino Sinaga, Sept 25, 2009
    if ($show_error==true) {
        $result = mysql_query($sql) or die("Error: $error; SQL: $sql; Response: " . mysql_error());
    } else { 
        $result = mysql_query($sql) or die("Error: $error; Invalid URL or parameter!");
    }
    if (0 < @mysql_num_rows($result))
    {
        if (!empty($results_error))
        {
            die("Error: $results_error");
        }
    }
    else
    {
        if (!empty($no_results_error))
        {
            die("Error: $no_results_error");
        }
    }
 
    if ('INSERT' == substr(trim($sql), 0, 6))
    {
        $result = mysql_insert_id();
    }
    return $result;
}

    then save the file.

  2. If you want to display this error message (typically useful when you are in development mode), then assign the fifth parameter ($show_error) with true, aftewards, do not forget to remove the fifth parameter or assign it with false when your website in the live or production-mode.

Demo:
- The right parameter value case: http://www.openscriptsolution.com/data/bank-in-indonesia/?type=bank&pg=1
- The wrong parameter value case (watch that the parameter value is not numerical data): http://www.openscriptsolution.com/data/bank-in-indonesia/?type=bank&pg=aa

  • Share/Bookmark
148 views Print This Post Print This Post

Categories: WordPress Tags: , , , , , ,