PHP Security Tip #2
by Cal Evans (editor)
|
3 comments | Friday, March 2, 2007
Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.
Make sure you do not display errors and potentially leak information about your site.
Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.
You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.
Comments
Well, this was one heck of a funny read, considering the recent post about devzone.php.com's error handling over at www.onphp5.com [1].
Perhaps you should implement Security Tip #2 yourself before telling the world it's a good idea ;)
[1] http://www.onphp5.com/article/19
Yes, during our recent battles with hardware an MySQL it did come to light that we had left this on instead of writing them out to the log file.
Consider us busted. :)
=C=