hide database password in zend framework 2

Question

I have a zend project which makes use of doctrine2.

My problem is that I can't disable errors with sensitive data. (i.e. when database connection fails an error is shown including the password).

What I have tried so far is changing the index.php file in the public folder as follows:

<?php
//Disable all error reporting
error_reporting(0); //Somehow this doesn't work
ini_set('display_errors', false); //Somehow this doesn't work
/**
 * This makes our life easier when dealing with paths. Everything is relative
 * to the application root now.
 */
chdir(dirname(__DIR__));

// Decline static file requests back to the PHP built-in webserver
if (php_sapi_name() === 'cli-server' && is_file(__DIR__ . parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH))) {
    return false;
}

// Setup autoloading
require 'init_autoloader.php';

// Run the application!
try{
Zend\Mvc\Application::init(require 'config/application.config.php')->run();
}
catch(Exception $ex){
    echo 'server error!';//This code is never reached although a PDOException is thrown!
}

What do I need to do to disable these kind of errors and hide sensitive data?

Answer 1

Check this out -> http://www.php.net/manual/en/pdo.connections.php Particularly the Warning Notice.

Using a Try / Catch in the index file isn't going to work for you. You'll need to put that into your Service Layer or where-ever else you are doing your DB Queries at (you didn't supply this code example).

You can also in your module.config.php file set:

'display_exceptions' => false

Also pay attention to the Exception handler you are using as different one could return different information.

Answer 2

EDIT: Didn't catch that this was ZEND 2. See my last comment below.

I am guessing the error level reporting is set with this line

Zend\Mvc\Application::init(require 'config/application.config.php')->run();

which is after you turn it off, so it is simply getting switched back on again.

Try this in application.ini

phpSettings.display_startup_errors = 0
phpSettings.display_errors = 0
resources.frontController.throwExceptions = 0
resources.frontController.params.displayExceptions = 0

Answer 3

Seems I had to change the view_manager configuration in my_project_folder/module/Application/config/module.config.php, by setting display_exceptions to false:

'view_manager' => array(
        'display_not_found_reason' => true,
        'display_exceptions'       => false, //This line did the trick!
        'doctype'                  => 'HTML5',
        'not_found_template'       => 'error/404',
        'exception_template'       => 'error/index',
        'template_map' => array(
            'layout/layout'           => __DIR__ . '/../view/layout/layout.phtml',
            'application/index/index' => __DIR__ . '/../view/application/index/index.phtml',
            'error/404'               => __DIR__ . '/../view/error/404.phtml',
            'error/index'             => __DIR__ . '/../view/error/index.phtml',
        ),
        'template_path_stack' => array(
            __DIR__ . '/../view',
        ),
    ),