Re: [PHP] Best Practices for Hiding Errors
Thanks for all the info, everyone! Seems like the @ trick is nice for individual lines, but turning off/on every time may be bit much on a complicated page. The ini_set('display_errors', false); also has a hit, as it turns back on after the entire script has run, but seems the easier way and just the one time may not be too bad. So maybe is best to turn it off in the actual ini, and turn on only for me, based on my IP or some other flag. Thanks again! George Langley Multimedia Developer, Audio/Video Editor, Musician, Arranger, Composer http://www.georgelangley.ca -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
It's just an observation ;) If you have to use it or not, you have to decide better way. Regards, Igor Escoar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Mon, Apr 6, 2009 at 9:56 PM, Chris dmag...@gmail.com wrote: Igor Escobar wrote: Becarefull, error supression is slow. If it's the only way to stop an error from showing up, what's the problem? php will still generate the warning/notice even if display_errors is disabled - which will be even slower. Plus I never said use it everywhere, I said use it in particular cases and comment your code about why you had to use it. -- Postgresql php tutorials http://www.designmagick.com/
Re: [PHP] Best Practices for Hiding Errors
2009/4/7 Chris dmag...@gmail.com: Igor Escobar wrote: Becarefull, error supression is slow. If it's the only way to stop an error from showing up, what's the problem? php will still generate the warning/notice even if display_errors is disabled - which will be even slower. Plus I never said use it everywhere, I said use it in particular cases and comment your code about why you had to use it. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php @phpfunction does just the same thing. Basically it's a shortcut to set display_errors to off before the function call and switch it back on after the function call. This is why it is slow. Some better practices would be: Just turn display_errors to off in you php.ini on the production system, if you can. Use ini_set('display_errors', false); in a central include file that gets included into every file. If you want to use the same script on development and production system you can add a SetEnv Directive inside you apache. Something like SetEnv SERVER_ROLE development Should do. Then you can do the following: if($HTTP_ENV_VARS['SERVER_ROLE'] == 'development') { error_reporting(E_ALL); ini_set('display_errors', true); } else { error_reporting(0); ini_set('display_errors', false); } So your code will work on production and on development server. Feel free to ask if you need further help. -- Currently developing a browsergame... http://www.p-game.de Trade - Expand - Fight Follow me on twitter! http://twitter.com/moortier -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Intead of displaying errors to page. Its better to use error log file. And as @ error suppressors are expensive its always better if you can avoid using them. I'd also suggest the ZCE(Zend Certification Engineer) Exam Guide for this matter for best practices. Regards Lenin www.twitter.com/nine_L
Re: [PHP] Best Practices for Hiding Errors
9el wrote: Intead of displaying errors to page. Its better to use error log file. I believe by default they are sent to the server error log file regardless of your error report setting. It wouldn't surprise me if there's a slick class out there for parsing the error log and extracting php errors to nicely display on a separate page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
but they give the following warning: This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet). Am unclear what that means - is it okay to add: It's about information disclosure. Errors/warnings/notices contain paths to php files when they are printed out. $ cat test.php ?php ini_set('display_errors', true); error_reporting(E_ALL); echo 'a is ' . $a . \n; $ php test.php Notice: Undefined variable: a in /path/to/test.php on line 4 You don't want that because now a potential attacker knows some info - it's a unix type system (a windows path is drive:\blah\folder so looks different) and the files are located in /path/to/. If that message contains database info or passwords for example, you could be in trouble. ini_set('display_errors','Off'); to my page, so that an end user won't ever get the warning displayed and I can deal with the error behind the scenes? Or is there a better way to keep PHP from writing error codes to the screen? That's exactly the right thing to change - but only for production systems. You should develop with this ON so you can see when you have a problem that needs to be addressed. Some situations (as above) will cause a problem as you've seen but most won't. You can also use the @ symbol before the function name - but make sure you don't use it everywhere (it'll make debugging extremely hard - you could spend hours looking for a problem and it ends up being a database connection problem) also comment your code about why you're doing it: # use the @ here because php throws a warning if it can't be opened. $fp = @fsockopen('blah'); -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Becarefull, error supression is slow. Regards, Igor Escoar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Mon, Apr 6, 2009 at 8:38 PM, Chris dmag...@gmail.com wrote: but they give the following warning: This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet). Am unclear what that means - is it okay to add: It's about information disclosure. Errors/warnings/notices contain paths to php files when they are printed out. $ cat test.php ?php ini_set('display_errors', true); error_reporting(E_ALL); echo 'a is ' . $a . \n; $ php test.php Notice: Undefined variable: a in /path/to/test.php on line 4 You don't want that because now a potential attacker knows some info - it's a unix type system (a windows path is drive:\blah\folder so looks different) and the files are located in /path/to/. If that message contains database info or passwords for example, you could be in trouble. ini_set('display_errors','Off'); to my page, so that an end user won't ever get the warning displayed and I can deal with the error behind the scenes? Or is there a better way to keep PHP from writing error codes to the screen? That's exactly the right thing to change - but only for production systems. You should develop with this ON so you can see when you have a problem that needs to be addressed. Some situations (as above) will cause a problem as you've seen but most won't. You can also use the @ symbol before the function name - but make sure you don't use it everywhere (it'll make debugging extremely hard - you could spend hours looking for a problem and it ends up being a database connection problem) also comment your code about why you're doing it: # use the @ here because php throws a warning if it can't be opened. $fp = @fsockopen('blah'); -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best Practices for Hiding Errors
Igor Escobar wrote: Becarefull, error supression is slow. If it's the only way to stop an error from showing up, what's the problem? php will still generate the warning/notice even if display_errors is disabled - which will be even slower. Plus I never said use it everywhere, I said use it in particular cases and comment your code about why you had to use it. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php