PHP Error Reporting and Security

Error reporting in PHP gives valuable insight during the development stages. This Insight can be a great aid to problem solving. There are others, however who are interested in why your web site has failed on occasion. The information thrown out by many PHP errors gives the kind of information about your web application that can make you vulnerable to crackers (malicious web site breakers). In fact apart from reading the code itself, error reporting is some of the most valuable intelligence an attacker can gather when looking for vulnerabilities in your web application.

So, what should be done once you launch your new web site? Well, as proud as you may be of your new creative geniuses, a wise web developer has the humility to recognize that bugs are still likely to surface from time to time. While you do not want any attackers to see error reporting, the information is still valuable to you for squishing bugs. You can (and should) write your error reporting to a file. Actually, PHP does this by default. If you are on a shared server, though, you likely will not have access to this file. You will need to write these errors to your own file.

Don’t Worry, Witting Errors to a File Is Easy
All you need to do is make a few adjustments in you php.ini file. Here are a few php.ini directives that are relevant:

•    display_errors This directive controls whether PHP errors should be sent to the screen. For the production environment this should be turned off.
•    error_reporting This directive controls which errors that should be reported. You should set this to E_ALL and you should fix all issues that appear by doing this.
•    log_errors This directive controls whether errors should be logged to a file. I would recommend that you always turn this on.
•    error_log This is the path of the file errors should be written to. This is only applies if log_errors is turned on obviously.

Your directory structure effects how error_log is set, since it involves creating a path to the error log.

The important thing to remember is that you want to be cautious about what information your error reporting is throwing out to the client. Whenever, possible keep it private. While it should be safely tucked away, it does provide valuable information to you as a web developer. So, keep it handy.

There are many other things to consider in safely setting up a PHP environment with security in mind. We will discuss these in future posts.

Leave a Reply

Your email address will not be published. Required fields are marked *