axeorcat

Time and time again with products intended for server applications, the default settings are for development rather than production. This just hast to be wrong thinking - I'd expect it frin Microsoft perhaps.

_Apache_ Why would you want Apache revealing its and its modules version numbers to the worl? ServerTokens should be Prod by default, not as an option. _PHP_

;;;;;;;;;;; ; WARNING ; ;;;;;;;;;;; ; This is the default settings file for new PHP installations. ; By default, PHP installs itself with a configuration suitable for ; development purposes, and *NOT* for production purposes. ; For several security-oriented considerations that should be taken ; before going online with your site, please consult php.ini-recommended ; and http://php.net/manual/en/security.php.

If your application does not catch the exception thrown from the PDO constructor, the default action taken by the zend engine is to terminate the script and display a back trace. This back trace will likely reveal the full database connection details, including the username and password. It is your responsibility to catch this exception, either explicitly (via a catch statement) or implicitly via set_exception_handler().