Re: [PHP] Best Practices for Hiding Errors
Thanks for all the info, everyone! Seems like the @ trick is nice
for individual lines, but turning off/on every time may be bit much
on a complicated page. The ini_set('display_errors', false); also has
a hit, as it turns back on after the entire script has run, but seems
the easier way and just the one time may not be too bad. So maybe is
best to turn it off in the actual ini, and turn on only for me, based
on my IP or some other flag.
Thanks again!
George Langley
Multimedia Developer, Audio/Video Editor, Musician, Arranger, Composer
http://www.georgelangley.ca
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
It's just an observation ;) If you have to use it or not, you have to decide better way. Regards, Igor Escoar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Mon, Apr 6, 2009 at 9:56 PM, Chris dmag...@gmail.com wrote: Igor Escobar wrote: Becarefull, error supression is slow. If it's the only way to stop an error from showing up, what's the problem? php will still generate the warning/notice even if display_errors is disabled - which will be even slower. Plus I never said use it everywhere, I said use it in particular cases and comment your code about why you had to use it. -- Postgresql php tutorials http://www.designmagick.com/
Re: [PHP] Best Practices for Hiding Errors
2009/4/7 Chris dmag...@gmail.com:
Igor Escobar wrote:
Becarefull, error supression is slow.
If it's the only way to stop an error from showing up, what's the problem?
php will still generate the warning/notice even if display_errors is
disabled - which will be even slower.
Plus I never said use it everywhere, I said use it in particular cases and
comment your code about why you had to use it.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
@phpfunction does just the same thing. Basically it's a shortcut to
set display_errors to off before the function call and switch it back
on after the function call. This is why it is slow.
Some better practices would be:
Just turn display_errors to off in you php.ini on the production
system, if you can.
Use ini_set('display_errors', false); in a central include file that
gets included into every file.
If you want to use the same script on development and production
system you can add a SetEnv Directive inside you apache.
Something like
SetEnv SERVER_ROLE development
Should do. Then you can do the following:
if($HTTP_ENV_VARS['SERVER_ROLE'] == 'development') {
error_reporting(E_ALL);
ini_set('display_errors', true);
} else {
error_reporting(0);
ini_set('display_errors', false);
}
So your code will work on production and on development server.
Feel free to ask if you need further help.
--
Currently developing a browsergame...
http://www.p-game.de
Trade - Expand - Fight
Follow me on twitter!
http://twitter.com/moortier
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Intead of displaying errors to page. Its better to use error log file. And as @ error suppressors are expensive its always better if you can avoid using them. I'd also suggest the ZCE(Zend Certification Engineer) Exam Guide for this matter for best practices. Regards Lenin www.twitter.com/nine_L
Re: [PHP] Best Practices for Hiding Errors
9el wrote: Intead of displaying errors to page. Its better to use error log file. I believe by default they are sent to the server error log file regardless of your error report setting. It wouldn't surprise me if there's a slick class out there for parsing the error log and extracting php errors to nicely display on a separate page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
but they give the following warning:
This is a feature to support your development and should never be used on
production systems (e.g. systems connected to the internet).
Am unclear what that means - is it okay to add:
It's about information disclosure.
Errors/warnings/notices contain paths to php files when they are printed
out.
$ cat test.php
?php
ini_set('display_errors', true);
error_reporting(E_ALL);
echo 'a is ' . $a . \n;
$ php test.php
Notice: Undefined variable: a in /path/to/test.php on line 4
You don't want that because now a potential attacker knows some info -
it's a unix type system (a windows path is drive:\blah\folder so looks
different) and the files are located in /path/to/.
If that message contains database info or passwords for example, you
could be in trouble.
ini_set('display_errors','Off');
to my page, so that an end user won't ever get the warning displayed and I can deal with the error behind the scenes? Or is there a better way to keep PHP from writing error codes to the screen?
That's exactly the right thing to change - but only for production
systems. You should develop with this ON so you can see when you have a
problem that needs to be addressed. Some situations (as above) will
cause a problem as you've seen but most won't.
You can also use the @ symbol before the function name - but make sure
you don't use it everywhere (it'll make debugging extremely hard - you
could spend hours looking for a problem and it ends up being a database
connection problem) also comment your code about why you're doing it:
# use the @ here because php throws a warning if it can't be opened.
$fp = @fsockopen('blah');
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Becarefull, error supression is slow.
Regards,
Igor Escoar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Mon, Apr 6, 2009 at 8:38 PM, Chris dmag...@gmail.com wrote:
but they give the following warning:
This is a feature to support your development and should never be used on
production systems (e.g. systems connected to the internet).
Am unclear what that means - is it okay to add:
It's about information disclosure.
Errors/warnings/notices contain paths to php files when they are printed
out.
$ cat test.php
?php
ini_set('display_errors', true);
error_reporting(E_ALL);
echo 'a is ' . $a . \n;
$ php test.php
Notice: Undefined variable: a in /path/to/test.php on line 4
You don't want that because now a potential attacker knows some info - it's
a unix type system (a windows path is drive:\blah\folder so looks different)
and the files are located in /path/to/.
If that message contains database info or passwords for example, you could
be in trouble.
ini_set('display_errors','Off');
to my page, so that an end user won't ever get the warning displayed and I
can deal with the error behind the scenes? Or is there a better way to keep
PHP from writing error codes to the screen?
That's exactly the right thing to change - but only for production systems.
You should develop with this ON so you can see when you have a problem that
needs to be addressed. Some situations (as above) will cause a problem as
you've seen but most won't.
You can also use the @ symbol before the function name - but make sure you
don't use it everywhere (it'll make debugging extremely hard - you could
spend hours looking for a problem and it ends up being a database connection
problem) also comment your code about why you're doing it:
# use the @ here because php throws a warning if it can't be opened.
$fp = @fsockopen('blah');
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Igor Escobar wrote: Becarefull, error supression is slow. If it's the only way to stop an error from showing up, what's the problem? php will still generate the warning/notice even if display_errors is disabled - which will be even slower. Plus I never said use it everywhere, I said use it in particular cases and comment your code about why you had to use it. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
