MySQL/PHP connection error, possible user fabrication

Question

I'm in charge of maintaining a learning management system and this is an issue that I've been dealing with on and off over the past few months.

A single student (among thousands) is claiming that his essay submissions are being "eaten" by the website. After form submission he says his essay has been replaced by the following text:

Warning: mysql_connect() [function.mysql-connect]: Lost connection to MySQL server at 'reading initial communication packet', system error: 111 in /home/web/solomon_1.3/classes/db.class.php on line 84

Fatal error: Error connecting to database server: in /home/web/solomon_1.3/classes/db.class.php on line 85

The preceding warning and fatal error are stored in the database as his submission. But how could this be as the error clearly states that a connection could not be made? The essay submission page is about as basic as it gets: A single DB connection is made, the form data is saved to the DB, user is redirected back to the submission page.

Lines 84-86 of db.class.php are:

if (!($sql_id=mysql_connect($server, $user, $pwd,$new))){
    trigger_error("[Error connecting to database server]: {$sql_id}", E_USER_ERROR);
}

Notice how the error reported by the student lacks square brackets around the Fatal Error description string as shown in the PHP source file. Those square brackets were added nearly two months ago after the student's first error report with the suspicion that he was just pasting an error string into the submission box as a way to avoid work. I guess it's the 21st-century version of "the dog ate my homework".

As recently as a week ago the student still reports the original error without brackets. A server-wide grep verified that the error the student keeps "getting" is based on a string that simply doesn't exist.

Now, the most reasonable explanation is that the student is screwing with us. That DB connection error has happened in the past but not within at least the last three months.

There's a chance the student could get expelled over this so I wanted to make absolutely sure that my evidence is solid. Can you think of any alternate theories likely or otherwise?

Answer 1

Don't you log when errors like this occur?
It does look like he's making it up though...

As Jeff says in Exception-Driven Development

If you're waiting around for users to tell you about problems with your website or application, you're only seeing a tiny fraction of all the problems that are actually occurring. The proverbial tip of the iceberg.

Answer 2

In dubio pro reo. If the student can provide his or her materials on time (without using the website), I would avoid throwing around accusations.

Of course, having a good log from the web server with things like size of post parameters, size of SQL parameters and screenshot of the student's screen at the time of the post might change things.

Answer 3

The student could have a setup where the brackets are stripped for some reason, or they could just be sending a c+p of the previous error when they see the new one. Or they could be typing it. Never ever trust a user-reported error message 8).

I suppose the first thing I'd say is that you shouldn't be sending error messages to the user. They should be logged. Turn off display_errors in php.ini, and turn on log_errors. This is both a security issue (I now know about the file structure of your server, and that you're running MySQL) and will allow you to trace when the errors are happening.

You should also have web server access logs, yes? If you know the IP the student is coming from, that should let you know timing for accesses and when to look for errors.

In addition, you might consider having your application do logging, especially as related to what user is logged-in. If before your trigger_error you append the current user and environment into a file, you'll know right away if this user is actually seeing these issues.

Answer 4

Having a different message to the one in the code... that's pretty strong evidence.

Not necessarily. If I saw the error the first time, emailed the prof about it, then got a very similar error a second time, I'd probably just copy the initial email and with it the initial error.

I'd do this because it would be a little easier than selecting and copying in the browser, and because as an innocent person, I wouldn't be trying to prove that innocence.

It would surprise me little if there's something in his input that causes MySQL to choke. In my own work, I've found certain queries that can crash the MySQL server (and the MySQL release notes are full of them). Given the right MySQl config, you can easily get a situation where the server crashes, then gets (very quickly) brought back up / failed over, which could account for the error message being stored on the server.

Rather than accuse the guy, let him email his assignment. This will assure the prof that the assignment was turned in when due, and allow the prof to test submitting the assignment through the online learning system.

Answer 5

It looks mostly legit to me.

How else could the student:

1. know the name of an apparently internal .php file (this looks like a library, not a directly HTTP served file)
2. know the line numbers of the mysql_connect handling code

Answer 6

Have you considered asking him to do a submission in front of you? The submission doesn't have to be the real essay (although that is better) but maybe he's doing something your script isn't expecting. Users are always able to find errors when "there just can't be an error in that code".

EDIT: Have you considered giving him a CD-R/RW and asking him to burn his files onto the disk and you'll submit it for him?

Answer 7

As tpdi pointed out correctly: an innocent person wouldn't be trying to prove that innocence.

And yes, you should log errors to a file, possibly even email the system administrator a copy of serious errors. But all that is not helping you now.

First thoughts:
Although there is no direct evidence that the student is making up a digital dog to eat his homework, I've never seen an error message being inserted into any table instead of the expected contents.

If a real error in the script causes the error message to end up in a new record, the on-screen error would most likely be completely different. So if the student's mother claims to have seen this error, I find that even harder to believe.

The missing angled brackets in the error message:
I've seen many unexpected crashes, even in code that 'could not possibly be wrong' (tm). The fact that the brackets are missing is, as others have pointed out, no evidence in itself.
The error could be copied & pasted from on old e-mail or even be changed by a custom error handler (which you do not seem to have, but just to point out the possibility).

But, if an genuine error in the script causes the error message to ends up in a newly inserted database record, this error message is script-generated. The missing angled brackets however, strongly suggest that the error message originated from outside the script.

Then the script lines themselves:

84: if (!($sql_id=mysql_connect($server, $user, $pwd,$new))){
85:     trigger_error("[Error connecting to database server]: {$sql_id}", E_USER_ERROR);
86: }

As far as I can see, if the script fails to set up a valid connection (line 84) it triggers the user error on line 85.
In reverse, if the user error (line 85) is triggered, the script failed to obtain a valid MySQL link identifier.

As far as I know there is no way for a PHP-script to affect any data on the server without a valid MySQL link identifier.

In addition to the the missing MySQL link identifier, there is no code in the lines above whatsoever that touches the data. So even if there was a valid connection, these lines would not trigger the insert of a new record.

I find it extremely unlikely, bordering on impossible, that an error in the process of opening a connection to the Database server would ever cause a record to be inserted, let alone a record holding a perfectly readable PHP-styled error message.

My conclusion bases upon the information you posted:
The student has a copy of an error message that was shown in the browser after a real error that has occurred somewhere in the past. He now posts a copy of the error message to the script. The script stores the posted information in the database.

Answer 8

If you were to add a few comment lines to the top of that PHP file, so that the line number of the alleged error changes, does the student get the same error message or a new error message with new line numbers?

If the former, I'd say he may be trying to pull a fast one. If the latter, it sounds like there's something wrong on your end.

Answer 9

Would maintenance be happening at that time? Maybe he's submitting reports late in the morning whereas everyone else is sleeping.