Error Reporting

[j.silver]

Hi all,

 

I want to eliminate any possibility of error reporting to users as it hinders a risk of displaying valuable data to potentially dangerous people, so I am setting the error reporting to false (as shown below). I want to disallow error reporting on every page, including same in one location applicable to all pages, e.g. the config file.

 

<?php

error_reporting(0);

require 'db/connect.php';

But at the same time, I want to see errors reported to me, e.g. via email. If instead of setting error reporting to false as above I only set the error reporting function to report to the email, is there any chance that some errors would still be seen by users?

[dsonesuk]

Usually it would show error reporting on condition IF user logged in AND is administrator, and debugging set to true.

[j.silver]

Many thanks dsonesuk

 

I would appreciate further elaboration on what is the best practice to completely disallowing error reporting to users, while reporting it to admin., and what is the preferred method of reporting same to admin., email or other methods? Code sample would be very useful. Thanks.

[justsomeguy]

Don't just turn off error reporting. In fact, set the error reporting value to the maximum value (note that error_reporting accepts an integer, not a boolean; using error_reporting(true) will not do what you think). This is the list of constants you can use with error_reporting. Use the actual constant, not the value.

 

All of those values should be set in the php.ini file (or a .htaccess file or some other method if you don't have control over php.ini). For a production system you should set the display_errors value to off, and instead set log_errors to on and configure the error log that PHP should use. You can then log in through FTP and check the error log at any time to see error messages.

 

Here is a list of the settings you can change that will affect error handling.

[j.silver]

Many thanks justsomeguy

 

Very informative and helpful. Do you think receiving error messages via email has a potential risk, e.g. from hackers, and it should be avoided?

Is checking errors through FTP 100% safe, or there could be a chance of hacking?

[justsomeguy]

I think that once you're debugging something with a loop in it and notice that you have 1,235 new emails, you'll think twice about sending error messages to your email.

 

Is checking errors through FTP 100% safe, or there could be a chance of hacking?

That's kind of vague, what do you mean? If you want to make sure the errors aren't accessible then just specify an error log outside the document root.