Framework: PDOExceptions shows db password in Exception

It looks like you haven't turned on MySQL service.

It's not about getting the error, the error itself is fixed but it's about the exception showing my db password, that shouldn't be done right?

Thanks, but there's no bug here. Make sure you turn debug mode off in production.

@GrahamCampbell Indeed debug has to be false in production. But besides that, a password may never be printed on the screen. It's a security issue.

It doesn't pose a security issue, and it's nothing really to do with Laravel since PHP itself provides this exception and it's message.

@GrahamCampbell, In my opinion this still is a security issue, can you explain to me why it's not?

I don't mean to be stubborn, but could you explain why it is?

A password should never be printed behind the back of a developer? What if some new ass kid forgets to set debug to false? Then everything is just there for everyone who hits that error?

Maybe it's not really an issue but it's definitely one to think/discuss about, because in my opinion it should just never be printed. And I know that's just my opinion but I thought it was worth opening an issue for this.

Forgetting to set debug to false is the security issue here.

yeah but besides that, why is it necessary to print that password on the screen? It doesn't provide anything more to the error?

Found an interesting topic about it: Should passwords be revealed in error message?
Clearly, people agree that PHP shouldn't display this password.

Just as an example, even in "debug false" mode, the password ends up in the logs...

I think it's reasonable to expect that a web framework doesn't expose credentials to users, developers or logging systems by default. I'm quite surprised this was closed without taking further action.

I think PRs are welcome?

FWIW, https://github.com/getsentry/sentry-laravel does that before sending data (or to be more correct: it's underlying Raven client library).

I was shocked as well when I saw all my .env data was printed online on screen? wtf?

I think this is the reason why our server(dev) was hacked.
They see the error on exception where the username and password was shown.
And we are using phpmyadmin, so they used it to enter the database server.
Beware.