Error message when MySQL database and Apache servers are down reveals sensitive information

Hi, today I had a problem that left me concerned.
I use MySQL access in my App through an .php file that handles SQL requests.
My Kodular app sends a Key + SQL command + the URL for the .php page.
When there is an error the following arrangement hides the sensitive information:

But today I coincided using the App at a moment that the MySQL provider had not only the MySQL server down but the Apache server where my .php file is hosted.
Even my web page hosted by this provider was momentarily down.

Then my App displayed an error message but this time, somehow, it was not handled by the construct above and the entire string including my sensitive data was displayed.
The message shown did not have the OK the Notifier above shows along with the error message.

Before I had time to react and do something like recording the screen to include on this post the hosting service recovered and was up again.

During this outage I tried to access my app some 3 times and had the full text error on my screen, full including my key and the whole URL.

I am kind of very concerned because in the possession of my Key and full URL the whole SQL data is dangerously exposed to vandalism.

Hi, I was able to reproduce the problem by changing to an invalid URL.
Please, see the problem below (sensitive data removed).

Is there anything I can do to try to circumvent this vulnerability?
Thanks
Paulo

Try this if it works

blocks (1)

2 Likes

Hi George, thanks for taking the time to answer my question.
Yes, it disrupts the original full text error and delivers a more user friendly error message with no sensitive information.
Here is the result including your sugestion:

Thanks again.
Paulo

which tutorial did you use?

if you had used the original MySQL tutorial App Inventor Tutorials and Examples: MySQL | Pura Vida Apps the sensitive information (i.e. the sqlkey) information would have been hidden in this case, see the Screen.ErrorOccurred event there
Unbenannt
and of course you could have adjusted this to your needs…

Taifun

Hi, thanks for taking the time to assist in this matter.
I have used the replace text function but somehow the error in question bypasses it.
George’s suggestion solved the problem as it intercepted the error and did not show the SQL request string in use at the time.

Thanks again
Paulo

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.