Turning Off Verbose Error Reporting
You usually want to turn off verbose error reporting in production scripts. The main reason for this has to do with security — you don't want users seeing too much of the "man behind the curtain." For example, PHP usually outputs something similar to the following if it fails to connect to a database:
Warning: Access denied for user: 'username@localhost' (Using password: YES) in /var/www/html/errortest.php on line 11 Warning: MySQL Connection Failed: Access denied for user: 'username@localhost' (Using password: YES) in /var/www/html/errortest.php on line 11
These errors are generally reported directly to the user's browser window, as shown in Figure 24-1.
- Figure 24-1 PHP errors reported in the browser window
These error messages are very helpful for debugging purposes, but they could give an unscrupulous user way too much information about your system and code. Several things are obvious:
• The system is running Linux.
• The script runs from the directory /var/www/html.
• The user who tried connecting to the MySQL server was username@localhost.
• The user was trying to connect by using a password.
With this information, someone quite possibly could compromise your system. Therefore, you're best off using the error_reporting() function to set reporting to 0 in production scripts — especially scripts that access MySQL or other servers. (See Session 22 for more information on PHP error reporting.)
To Go
Post a comment