Shorter error handling PDO

Hi guys,I wanted to ask, is something like the following really necessary? (I turned off autocommit)

try {
    $tokendel = $dbh->exec("DELETE * FROM tokens WHERE token='$_GET[token]'");
}
catch (PDOException $e) {
     die('Error:' . $e->getMessage());
}
$dbh->commit();

PHP:

It seems like there should be a quicker way to handle errors.
Is there?
Thanks,
-Tony

 

That's pretty 'quick', and it's pretty standard (except for not sanitizing your GET variable).

 

Hey Tony,

Like Rukbat said, you might want to take a look into sanitizing your inputs before sending it to MySQL. Depending on your server/MySQL settings, a person can take control of your entire server if you give them the above opening (things like reading your system files, delete all your data/database, getting admin access).

It is an easy thing to do:

http://php.net/manual/en/pdo.quote.php

$_GET['token'] = $dbh->quote($_GET['token']);

PHP:

Another security issue here is the try/catch is echoing the error. You should log the error somewhere in a file and show the user a friendlier message. Something like: We are conducting some upgrades, please check again later. You can also email yourself the error so you can fix it ASAP.

Finally, I love the usage of try/catch and I always recommend using it whenever necessary. However, for your case it is counter productive if you will be using the quote() method on the param. Your query will always execute no matter what the input is. The only (well not only but 95% of the time) when it'll throw an exception is if your db handler is not valid, in which case it will be caught by the PDO constructor (which I assume you also have a try/catch on).

 

All good ideas.
I know about SQL Injection, working on it, my site's not live yet.
Very useful post, I added to your reputation.
Thanks!


-Tony

 

You could also set up your own exception handler.
http://php.net/manual/en/function.set-exception-handler.php

Since PDOException descends from RuntimeException and Exception. Just beware it will catch ANY errors, so plan the exception handling function accordingly. That can often be better as then you can style the result to look more consistent with the system and provide proper information -- or HIDE the information and log it to a file or database instead.

That way you don't have to set up all the try/catch every time you do something, you have a nice unified handler instead.

 

I will DEFINITELY use set_exception_handler.
Saves a lot of typing.
I will also use the error_log function to email me upon error.

Thanks,
-Tony

 

***NOTE*** when I said ANY errors, that includes all PHP errors, not just PDO. Just thought I should clarify that.

 

Got it.
One more question:
If I use set_exception_handler, do I even have to use a try block around my code?

Thanks,
-Tony

 

Not sure what you mean by "block". Oh wait, you mean try/catch? The answer is no, you use it instead.

But again, remember ALL php errors will route to your exception handler... so you have NO indication of failure in the code. This is why it's often best to have your exception handler "die", halting execution.

 

Okay, I understand now. Thanks!

-Tony

 

If I use set_exception_handler, can I set a manual catch and override it?
Example:

function myfunction($exception)
{
//default exception handling code here
}
set_exception_handler(myfunction);
try {
//try something that ends up throwing an exception here
}
catch {
//catch the exception with special code for this occasion
}

PHP:

Which would execute, myfunction or the catch statement?

Thanks,
-Tony