Am 04.01.2012 21:02, schrieb Rasmus Lerdorf: > But there is a very valid security concern here. People can usually run > safely with display_errors enabled if their code is well-written.
if it is well written there would be nor errors displayed but you miss - in production you MUST NOT dispaly errors > They can check for potential errors and avoid them. This one can't be checked > for and you could easily write a scanner that scoured the Net for sites > with display_errors enabled by sending a relatively short POST request > to each one and checking for this error. does not matter if display_errors is on DISPLAY it if it is off do NOT there is nothing between every try to make exceptions here is simply a bad style and should not be done - where do you stop? you can't decide - only the admin or developer with ini_set() has to decide and nobody else
signature.asc
Description: OpenPGP digital signature
