Are there any concerns if I have database error reporting enabled on my live webpage?

I thought I remember reading somewhere that error reporting should be disabled on a live website. I can’t find any info on that now, so I think it may be fine, but I would like to check if it is a concern at all?

Here is what I have enabled as options for MySQL queries:

$options = [
        PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        PDO::ATTR_EMULATE_PREPARES   => false,
    ];

I think the idea is that displaying error messages to the user is not good - errors should be trapped and either dealt with, or fail gracefully with a general error page.

I’m sure I’ve read that providing too much error information could give a potential cracker additional information, but that kind of thing isn’t something I know much about.

Exposing errors on a a production site is a security vulnerability that can be easily avoided by sending errors to a log instead.

1 Like

Thank you, I will remove the first option.

Why not force a couple of errors and see what happens?

If the system is set correctly then the errors should be logged and not shown on the screen.

I’m going to assume based on your question that the production site is on a shared hosting service. Shared hosts automatically disable error reporting to the browser.

Yes it is on a shared hosting service. Thank you for mentioning that.

BEWARE:
Perhaps they can be re-enabled in your personal script!