howto: prevent php/mysql errors from being displayed in your site
i noticed many sites show ugly messages to their visitors when there is some php/mysql error... sometimes this error messages contains information which may be useful for atackers: physical paths, sql sentences, etc...
in order to avoid errors from being displayed on your site you can do the following changes on php.ini file:
1) as the comment in default php.ini says, turn off "display_errors".
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = Off
2) turn "log_errors" on, again following php.ini recomendation.
; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On
3) make sure "html_errors" is off, because we dont need HTML formated errores in our log file.
; Disable the inclusion of HTML tags in error messages.
html_errors = Off
4) and finally specify a file to log errors on.
; Log errors to specified file.
error_log = /var/log/php.err