Results 1 to 6 of 6
-
07-23-2004, 06:38 AM #1New Member
- Join Date
- Jul 2004
- Location
- Madrid, Spain
- Posts
- 1
howto: prevent php/mysql errors from being displayed in your site
i noticed many sites show ugly messages to their visitors when there is some php/mysql error... sometimes this error messages contains information which may be useful for atackers: physical paths, sql sentences, etc...
in order to avoid errors from being displayed on your site you can do the following changes on php.ini file:
1) as the comment in default php.ini says, turn off "display_errors".
Code:; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = Off
Code:; Log errors into a log file (server-specific log, stderr, or error_log (below)) ; As stated above, you're strongly advised to use error logging in place of ; error displaying on production web sites. log_errors = On
Code:; Disable the inclusion of HTML tags in error messages. html_errors = Off
Code:; Log errors to specified file. error_log = /var/log/php.err
-
08-24-2004, 04:42 PM #2Junior Guru Wannabe
- Join Date
- Apr 2004
- Posts
- 47
I am going to try it. Thanks.
<b> ? </b>
-
09-11-2004, 12:44 PM #3Web Hosting Master
- Join Date
- Apr 2004
- Posts
- 972
So what happens when an error occurs? it will just show a blank page?
-
09-11-2004, 11:47 PM #4Newbie
- Join Date
- Mar 2002
- Posts
- 17
Yes. If you don't want that, there is also one other workaround.. write your own error handling function which shows a fancy error message and set it up as a prepend file.
-
09-12-2004, 02:01 AM #5Junior Guru Wannabe
- Join Date
- Sep 2004
- Posts
- 35
Nice post, OscarG.
I only have one problem. No matter what file I specify for error_log like in your example
; Log errors to specified file.
error_log = /var/log/php.err
it ignores /var/log/php.err and the errors always get sent to my apache error_log file.
One thing that works is to set it on startup in a php script like
Code:<?php ini_set('error_log', '/tmp/php.err'); ?>
-
09-16-2004, 05:32 AM #6Newbie
- Join Date
- Sep 2004
- Location
- Brugge - Belgium
- Posts
- 29
I think the meaning of an errormessage is to let you know there is something wrong, by me i always try it local and after i put it public so where is the problem for attackers?