SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Displaying Error Codes

    I would like to assign Error Codes to my Error Messages to help with debugging, since two different sources could cause the same/similar Error Type.

    Is it insecure to display an Error Code to the User?
    For example...

    // Missing Salt.
    case 'PASSWORD_MISSING_SALT':
    echo '<h1>Password Change Failed</h1>';
    echo '<p>A Fatal Error occurred. Please contact the System Administrator. (5589)</p>';
    break;
    And, yeah, I could take them out when I go live, but if they don't give away to much info to hackers, then I'd assume leave them in.

    But what do you think?


    Debbie

  2. #2
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    The question you need to ask yourself here [and for everyone of these random security questions] is "how could this be used to compromise the system?"

    In this case, you probably aren't doing anything with the error numbers at all so I doubt it would hurt. There are some cases where exposing error details can hurt -- such as that padding oracle attack that was in the wild over the summer -- but that probably won't get to this level.

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by wwb_99 View Post
    The question you need to ask yourself here [and for everyone of these random security questions] is "how could this be used to compromise the system?"

    In this case, you probably aren't doing anything with the error numbers at all so I doubt it would hurt. There are some cases where exposing error details can hurt -- such as that padding oracle attack that was in the wild over the summer -- but that probably won't get to this level.
    Well, my Error-Messages are tailored to Users (and not Developers).

    Adding a code would just make it easier to Debug and down the road if a User did have an issue, they could report...

    "I am getting this 'A Fatal Error occurred. Please contact the System Administrator. (5589)' error message.

    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •