Quoted from the above official PHP docs: "If your application does not catch the exception thrown from the PDO constructor, the default action taken by the zend engine is to terminate the script and display a back trace. This back trace will likely reveal the full database connection details, including the username and password. [...]"
This is mitigated somewhat by most sane deployments using firewalls or similar mechanisms to prevent access to MySQL from non-trusted hosts. If any box on the Internet can already talk to MySQL, you're... not in an excellent security posture.
3 comments
[ 4.1 ms ] story [ 15.4 ms ] thread