SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)

    PHP errors enabled

    I have been using WebsiteDefender on one of my sites, after it was hacked. I recently moved the site to another (shared) hosting company, and WebsiteDefender gave me the following report:
    The display_error PHP configuration directive is enabled. This means that untrusted sources can see detailed web application environment error messages which might include sensitive information which can be used to craft further attacks.

    You can disable display_errors from php.ini or .htaccess.

    php.ini
    display_errors = 'off'
    log_errors = 'on'

    .htaccess
    php_flag display_errors off
    php_flag log_errors on
    I added the lines above to my .htaccess file, but that caused a server 500 error when I tried to view the site.

    Any help would be appreciated.

  2. #2
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,807
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    Did you add all the lines to your .htaccess file?

    The instructions stated loading the additional files either in the php.ini file or the .htaccess file.

    Try adding just these two lines in your .htaccess file, this should prevent the server 500 errors. Once the site is running OK again then remove the # remark one at at time and see if the site runs OK with no server errors.

    PHP Code:

    # php_flag display_errors off
    # php_flag log_errors on 

  3. #3
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by John_Betong View Post
    Did you add all the lines to your .htaccess file?

    The instructions stated loading the additional files either in the php.ini file or the .htaccess file.
    Yes, I understood the instructions and I added only the .htaccess code to my .htaccess file.

    Quote Originally Posted by John_Betong View Post
    Try adding just these two lines in your .htaccess file, this should prevent the server 500 errors. Once the site is running OK again then remove the # remark one at at time and see if the site runs OK with no server errors.

    PHP Code:

    # php_flag display_errors off
    # php_flag log_errors on 
    No. Either line individually causes server 500 errors.

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,037
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    You should also be able to this by adding this in PHP:

    PHP Code:
    ini_set('display_errors'false); 
    The .htaccess stuff probably doesn't work because PHP is not run as an Apache module (but rather through some sort of CGI) so Apache doesn't recognise it.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)
    Thanks, @ScallioXTX . At the risk of revealing how little I understand of this, may I ask how I add that in PHP? Do I need to include it in each of my pages and each of my includes? (The site is basically static pages and is only using PHP for includes like header, footer and navigation.)

  6. #6
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,037
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    You should indeed include that in each and every page. Or, if all pages include the header, you can also put it in the header so it's automatically used in all pages. Doesn't matter which option you pick, except the second one is easier
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  7. #7
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)
    Brilliant, thank you. I've put it in the header and everything's still working.

  8. #8
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,807
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    I would not be happy to have the site running and hiding errors.

    Can you supply a link to the site and the .htaccess file - this may help in tracking the error source.

  9. #9
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,037
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by John_Betong View Post
    I would not be happy to have the site running and hiding errors.
    Why not? I would be very happy to have the side hide any internal information from normal visitors, as long as it's logged somewhere.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  10. #10
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,807
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Why not? I would be very happy to have the side hide any internal information from normal visitors, as long as it's logged somewhere.
    I should have included your statement as long as it's logged somewhere.

  11. #11
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by John_Betong View Post
    I would not be happy to have the site running and hiding errors.

    Can you supply a link to the site and the .htaccess file - this may help in tracking the error source.
    Thank you, but (AFAIK) there aren't any errors - it was just an alert warning that any error messages would be displayed publicly. I don't know a great deal about PHP, but I do know enough to know that's a Bad Idea.

    However, I've now started wondering - how can I tell whether my other PHP sites have the same problem? I wouldn't have known about this one, had WebsiteDefender not alerted me. Should I just add @ScallioXTX 's code on all my PHP pages as a precaution?

  12. #12
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,037
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    Should I just add @ScallioXTX 's code on all my PHP pages as a precaution?
    It surely can't hurt
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  13. #13
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    256 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    It surely can't hurt
    In that case, I'll just go ahead and do it. (I'm always terrified of breaking something. )

  14. #14
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,807
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    In that case, I'll just go ahead and do it. (I'm always terrified of breaking something. )
    When you are feeling brave try this:

    // your header.php
    PHP Code:

       ini_set
    ('display_errors'FALSE );

       
    error_reportingE_ALL );

       
    $tmp getcwd() . "/php_error_" .date('y-m-d__h-i-s' ) ) .".log"
       
    ini_set('error_log'$tmp) ; 
    Points to note:
    1. the user will not see any PHP errors
    2. PHP errors will be generated in the background
    3. any PHP errors will create and/or append to a daily error log file
    4. error log file will be named: "php_error_yy-mm-dd__hh-mm-ss.log"
    5. the log file will be in the same directory as your header.php (or the file that includes 'header.php' )


    Discuss
    Last edited by John_Betong; Feb 12, 2012 at 20:46. Reason: formatting


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •