i noticed many sites show ugly messages to their visitors when there is some php/mysql error... sometimes this error messages contains information which may be useful for atackers: physical paths, sql sentences, etc...

in order to avoid errors from being displayed on your site you can do the following changes on php.ini file:

1) as the comment in default php.ini says, turn off "display_errors".


; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = Off


2) turn "log_errors" on, again following php.ini recomendation.


; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On


3) make sure "html_errors" is off, because we dont need HTML formated errores in our log file.


; Disable the inclusion of HTML tags in error messages.
html_errors = Off


4) and finally specify a file to log errors on.


; Log errors to specified file.
error_log = /var/log/php.err


i hope this helps someone :)

I am going to try it. Thanks.

So what happens when an error occurs? it will just show a blank page?

Yes. If you don't want that, there is also one other workaround.. write your own error handling function which shows a fancy error message and set it up as a prepend file.

Nice post, OscarG.

I only have one problem. No matter what file I specify for error_log like in your example

; Log errors to specified file.
error_log = /var/log/php.err

it ignores /var/log/php.err and the errors always get sent to my apache error_log file. :bawling:

One thing that works is to set it on startup in a php script like


<?php

ini_set('error_log', '/tmp/php.err');

?>


But that of course is on a per script basis. I'd rather have the error_log work for me inside my /etc/php.ini file but I'm not sure why it just sends them all to my apache error_log.

I think the meaning of an errormessage is to let you know there is something wrong, by me i always try it local and after i put it public so where is the problem for attackers?