Last modified: 2008-06-29 00:07:56 UTC
Created attachment 5033 [details] Proposed patch Revealing SQL query in cases of error poses security threat.
Couple of quick comments: First, the API code is also ignoring $wgShowExceptionDetails here (also set to false by default). The backtrace includes chunks of parameter strings and other info which can reveal part or all of the query, so I'd recommend making sure it checks both of these settings and follows them. Second, a minor quibble -- is_a() is deprecated in PHP 5; use the instanceof operator instead in new code. Otherwise looks good -- let's get the other setting patched in there and it's good to go!
Created attachment 5034 [details] $wgShowExceptionDetails too
Modified patch applied in r36775.