Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : howto: prevent php/mysql errors from being displayed in your site

[OscarG]

i noticed many sites show ugly messages to their visitors when there is some php/mysql error... sometimes this error messages contains information which may be useful for atackers: physical paths, sql sentences, etc...

in order to avoid errors from being displayed on your site you can do the following changes on php.ini file:

1) as the comment in default php.ini says, turn off "display_errors".

Code:

; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).  Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = Off

2) turn "log_errors" on, again following php.ini recomendation.

Code:

; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On

3) make sure "html_errors" is off, because we dont need HTML formated errores in our log file.

Code:

; Disable the inclusion of HTML tags in error messages.
html_errors = Off

4) and finally specify a file to log errors on.

Code:

; Log errors to specified file.
error_log = /var/log/php.err

i hope this helps someone

[one1coolone1]

I am going to try it. Thanks.

[rois]

So what happens when an error occurs? it will just show a blank page?

[Codename49]

Yes. If you don't want that, there is also one other workaround.. write your own error handling function which shows a fancy error message and set it up as a prepend file.

[kuato]

Nice post, OscarG.

I only have one problem. No matter what file I specify for error_log like in your example

; Log errors to specified file.
error_log = /var/log/php.err

it ignores /var/log/php.err and the errors always get sent to my apache error_log file.

One thing that works is to set it on startup in a php script like

Code:

<?php

ini_set('error_log', '/tmp/php.err');

?>

But that of course is on a per script basis. I'd rather have the error_log work for me inside my /etc/php.ini file but I'm not sure why it just sends them all to my apache error_log.

[Robcau]

I think the meaning of an errormessage is to let you know there is something wrong, by me i always try it local and after i put it public so where is the problem for attackers?