Concerns about exception string revealing internals/data about dat

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

We have a global error handler in a Windows Service application (.NET 2.0).
The global handler sends out the error message to a few select individuals
via e-mail (technical support. I am wondering if there is a possiblity that
an error message (i.e. ex.GetBaseException.ToString) could display any
program data or database
field names, etc. The application reads data from a database and if a crash
occurs; I want to know if I send the exception text if the error text could
display any data in my program OR any database field names. For example,
could it say something like "invalid field name X" or "error parsing string
Y"; where X is a name of a field in the database and Y is the contents of a
string. For example, it would be a bad thing if it sent an error like
("Error parsing field "Social Security Number" with a field value of
111-11-1111). We are using GetBaseException.ToString, and I was thinking
that GetBaseException.ToString or Exception.ToString would give a generic
error like "Field not found" or "Error parsiing string" while not revelaing
the field name or data contents. The application involves medical/personal
data for patients and we cannot reveal any data in the e-mail that is sent to
support personnel. However the support personnel are NOT supposed to see
private medical information. We are currently sending the exception.tostring
in the e-mail, but am concerned it might reveal data.

Can it reveal database data values or field names as I mentioned?

We are using ALL Microsoft ADO.NET data providers and are using SQL Server
that are built into VS 2005. I posted this question to the CLR newsgroup;
but they referred me to this group since they said VS 2005 won't do this, but
they didn't know for sure about the ADO.NET components in VS 2005.
 
I never saw a message mentioning data.

you can however have messages relevaling field name and /or table. For
example if you forogt to provide a value for a NOT NULL field the error
message mention (that comes from SQL both reveals the table name and the
field name.
 
Thank you for the answer. Is it possible for data values from the database
to be in the error message. I got to thinking; since the error is only seen
by our company's personnel; the only problem is if data from a field(s) was
in the error. Is that possible.

Also, I neglected to include an exampl error. Here it is:

Wednesday, August 23, 2006 13:05:49.550
System.Threading.ThreadStartException: Thread failed to start. --->
System.Threading.ThreadAbortException: Thread was being aborted.
--- End of inner exception stack trace ---
at System.Threading.Thread.StartInternal(IPrincipal principal,
StackCrawlMark& stackMark)
at System.Threading.Thread.Start()
at x.y.Sessions.NewPluginsAvailable() in C:\tmp\Sessions.cs:line 387
 
Hi,

I suggest you write a method which process the exception message that is
going to be sent to the support engineer. This method filters out all the
privacy contant and remove them from the original message. The database
itself cannot do this.

HTH.

Kevin Yu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hello Kevin,

In this application, I am not concerned about field names being displayed in
the exception message; but I am concerned about database values being
included in the message. Thus, I do not need to write a special exception
message handler if we know for sure that Microsoft's SQL data provider will
not return database field values as part of an exception message. If you can
answer that question, it would save a lot of time.

Thank you.
 
I don't recall ever seeing a message with actual data in it. I don't know if
anyone can guarantee 100% that none of the messages do. The types of
messages you are most likely to encounter, don't.

To get a list of all possible messages, run this query: select * from
master.dbo.sysmessages .

You will see there are placeholders for values, to be replaced at run time
with the actual table or field in question, and so on. I suppose you can go
through all these and make sure that none of them look like they would ever
contain actual data.
 
Hi KTJ,

Sorry for the misunderstanding. As far as I can see, error messages that
returned from database in our daily insert/modify/delete operations will
not reveal the database values.

As Marina mentioned, you will find a list of error messages in the
sysmessages system table.

If anything I can do to help, please feel free to let me know.

Kevin Yu
Microsoft Online Community Support
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top