Best connection string for production server


#1

I am creating a PDO connection to a MariaDB database.

I am aware of the error reporting possibilities here and am using:

  • A try… catch block with (catch (PDOException $e) {

  • the getMessage, getFile and getLine methods of $e

  • outputting these error details in a template.

I don’t want to display this detail (which will include username and password) to users on a production server if, say, the db engine is not running. But, I DO want to display it to myself if there is a problem with db connection with a particular site.

PHP & MySQL: Novice to Ninja suggests: “When you’re done and your database connection is working correctly, go back to the simpler error message [meaning just $e, I think, rather than $e->getMessage, etc.]. This way your visitors won’t be bombarded with technical gobbledygook if a genuine problem emerges with your database server.”

But this would mean I can’t diagnose the error.

Best way of achieving this?


#2

I would recommend using a logger like Monolog and log errors to a medium you will notice, like email or slack. That way when something goes wrong on your website you will know immediately.


#3

Thank you. That’s very interesting: I was unaware of that but like the look of it - even mobile notifications.

So… as far as the PHP goes for a website… just a friendly: “Ooops… something went wrong” kind of output to the user?


#4

Users should never see the proper PHP error messages, it can give hackers clues and makes no sense to non-hackers, except for the non-hackers who are developers who will just think it’s unprofessional: (a) That you have errors. (b) That you are showing them to everyone.

So, yes, if you must display errors to users, make them vague, generic, dumbed-down error messages.
But do always log your real errors. The standard practice is to have a log file (non public), but if you add to that some kind of notification service like @rpkamp mentions, that’s good.


#5

Yes, exactly.

There should always be a user-visible error possibility. For example, if the database server is down, you HAVE to show some kind of error message.

I was also aware of logging. What I WAS unaware of though, was the notification service which seems really helpful.

Thanks Sam