Results 1 to 6 of 6
  1. #1
    Join Date
    Jul 2004
    Location
    Madrid, Spain
    Posts
    0

    howto: prevent php/mysql errors from being displayed in your site

    i noticed many sites show ugly messages to their visitors when there is some php/mysql error... sometimes this error messages contains information which may be useful for atackers: physical paths, sql sentences, etc...

    in order to avoid errors from being displayed on your site you can do the following changes on php.ini file:

    1) as the comment in default php.ini says, turn off "display_errors".

    Code:
    ; Print out errors (as a part of the output).  For production web sites,
    ; you're strongly encouraged to turn this feature off, and use error logging
    ; instead (see below).  Keeping display_errors enabled on a production web site
    ; may reveal security information to end users, such as file paths on your Web
    ; server, your database schema or other information.
    display_errors = Off
    2) turn "log_errors" on, again following php.ini recomendation.

    Code:
    ; Log errors into a log file (server-specific log, stderr, or error_log (below))
    ; As stated above, you're strongly advised to use error logging in place of
    ; error displaying on production web sites.
    log_errors = On
    3) make sure "html_errors" is off, because we dont need HTML formated errores in our log file.

    Code:
    ; Disable the inclusion of HTML tags in error messages.
    html_errors = Off
    4) and finally specify a file to log errors on.

    Code:
    ; Log errors to specified file.
    error_log = /var/log/php.err
    i hope this helps someone

  2. #2
    Join Date
    Apr 2004
    Posts
    42
    I am going to try it. Thanks.
    <b> ? </b>

  3. #3
    Join Date
    Apr 2004
    Posts
    963
    So what happens when an error occurs? it will just show a blank page?

  4. #4
    Yes. If you don't want that, there is also one other workaround.. write your own error handling function which shows a fancy error message and set it up as a prepend file.

  5. #5
    Join Date
    Sep 2004
    Posts
    34
    Nice post, OscarG.

    I only have one problem. No matter what file I specify for error_log like in your example

    ; Log errors to specified file.
    error_log = /var/log/php.err

    it ignores /var/log/php.err and the errors always get sent to my apache error_log file.

    One thing that works is to set it on startup in a php script like

    Code:
    <?php
    
    ini_set('error_log', '/tmp/php.err');
    
    ?>
    But that of course is on a per script basis. I'd rather have the error_log work for me inside my /etc/php.ini file but I'm not sure why it just sends them all to my apache error_log.

  6. #6
    Join Date
    Sep 2004
    Location
    Brugge - Belgium
    Posts
    27
    I think the meaning of an errormessage is to let you know there is something wrong, by me i always try it local and after i put it public so where is the problem for attackers?

  7. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •