SQL errors in Interchange
September 7, 2011
Interchange has a little feature whereby errors in a [query] tag are reported back to the session just like form validation errors. That is, given the intentional syntax error here:
[query ... sql="select 1 from foo where 1="]
Interchange will paste the error from your database in
That’s great, but it comes with a price: now you have a potential for a page with SQL in it, which site security services like McAfee will flag as "SQL injection failures". Sometimes you just don’t want your SQL failures plastered all over for the world to see.
DatabaseDefault LOG_SESSION_ERROR 0
in your Interchange configuration file, possibly constrained so it only affects production (because you’d love to see your SQL errors when you are testing, right?).