SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation PHP Security: Hiding details of PHP errors

    When an error occurs in a PHP script, the details of the error are displayed in an output message. (e.g. absolute path to script, line number, etc.)

    I know it is possible to completely deactive error messages in the PHP configuration file...

    ...but is it possible to configure PHP errors to be displayed only to administrative members, and a generic error message to be displayed to all other users?

  2. #2
    SitePoint Member
    Join Date
    Sep 2005
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use the @ to prevent error messages from displaying.

    like this

    PHP Code:

    $query 
    = @mysql_query('SELECT blah FROM blah WHERE blah=blah'); 
    Now if there is any error caused in the query you the error won't be displayed.

    hope this helps.

  3. #3
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stephan.gerlach View Post
    You can use the @ to prevent error messages from displaying.
    That works but not a very good habit to get into, it makes debugging a nightmare.

    Quote Originally Posted by Morthian View Post
    ...but is it possible to configure PHP errors to be displayed only to administrative members, and a generic error message to be displayed to all other users?
    use a custom error handling function
    http://nz.php.net/manual/en/function...or-handler.php
    PHP Code:
    set_error_handler('costomErrorHandler'); 
    PHP Code:
    function customErrorHandler($errno$errstr$errfile$errline) {
        if(
    $currentUser->isAdmin() {
            
    // show errors
        
    }
        else {
            
    // display some 'oops it's broke' type message
        
    }


  4. #4
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stephan.gerlach View Post
    You can use the @ to prevent error messages from displaying.

    like this

    PHP Code:

    $query 
    = @mysql_query('SELECT blah FROM blah WHERE blah=blah'); 
    Now if there is any error caused in the query you the error won't be displayed.

    hope this helps.

    hmm mysql_query won't show the query error unless u print mysql_error.
    putting @ all over your code is time-consuming and from what i've read makes it slower.

    u should turn display_errors off - either via php.ini or htaccess.

    i use set_error_handler to display a generic message and email me the error details in the background.

    see
    http://uk2.php.net/manual/en/functio...or-handler.php

  5. #5
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all of your replies. I will look into the set_error_handler function. It looks promising; hopefully it will solve my problem.

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I started up a poll some time back asking how people ran with error_reporting as they worked, in a dev environment, some of the comments might be helpful to you.

    Display them when possible when developing
    Log them only when live
    Try not to suppress them if possible

    It becomes a whole other barrel of fish when you want your application to recover from some errors, and not others etc, and you have some kind of personalisation going on and you want to log all the factors leading to a failure.

  7. #7
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    I started up a poll some time back asking how people ran with error_reporting as they worked, in a dev environment, some of the comments might be helpful to you.

    Display them when possible when developing
    Log them only when live
    Try not to suppress them if possible

    It becomes a whole other barrel of fish when you want your application to recover from some errors, and not others etc, and you have some kind of personalisation going on and you want to log all the factors leading to a failure.
    my custom error handler sends me all the post/ get/ cookie/ session/ server info which goes a long way to figuring out what went wrong.

  8. #8
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Couple of methods for setting up environment options based on production and development settings. You of course want to know if the application should use production settings or development settings.

    PHP Code:
    <?php

    // Local IP, accessing from the same computer.
    // TODO: support local network access
    // TODO: support IPv6
    $isdev = function () {
        
    $index = array( '127.0.0.1''::1'gethostbynametrim( `hostname` ) ) );
        return 
    in_array$_SERVER['REMOTE_ADDR'], $indextrue );
    };

    define'DEV_PLATFORM'$isdev() );

    // or...
    // A blank file in the root.
    define'DEV_PLATFORM'file_exists__DIR__ '/development' ) );
    I got the local IP idea from IIS. IIS will show detailed HTTP error messages if accessing the server locally, but show plain messages for remote users.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  9. #9
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just use domain.loc on dev servers and test for that tld (hope it doesn't actually exist o0). Also taken to having dev stuff searched for first ( eg if(file_exists(config.dev.php)) ) so I don't have to share anything local with deployed sites.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •