I am creating a PDO connection to a MariaDB database.
I am aware of the error reporting possibilities here and am using:
A try… catch block with (catch (PDOException $e) {
the getMessage, getFile and getLine methods of $e
outputting these error details in a template.
I don’t want to display this detail (which will include username and password) to users on a production server if, say, the db engine is not running. But, I DO want to display it to myself if there is a problem with db connection with a particular site.
PHP & MySQL: Novice to Ninja suggests: “When you’re done and your database connection is working correctly, go back to the simpler error message [meaning just $e, I think, rather than $e->getMessage, etc.]. This way your visitors won’t be bombarded with technical gobbledygook if a genuine problem emerges with your database server.”
I would recommend using a logger like Monolog and log errors to a medium you will notice, like email or slack. That way when something goes wrong on your website you will know immediately.
Users should never see the proper PHP error messages, it can give hackers clues and makes no sense to non-hackers, except for the non-hackers who are developers who will just think it’s unprofessional: (a) That you have errors. (b) That you are showing them to everyone.
So, yes, if you must display errors to users, make them vague, generic, dumbed-down error messages.
But do always log your real errors. The standard practice is to have a log file (non public), but if you add to that some kind of notification service like @rpkamp mentions, that’s good.