PHP Security Tip #2

Quick Links

Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.

Make sure you do not display errors and potentially leak information about your site.

Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.

You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.

Comments

Friday, March 2, 2007

DEVZONE ERROR HANDLING

10:39AM PST · peehpee

"Make sure you do not display errors and potentially leak information about your site."

Well, this was one heck of a funny read, considering the recent post about devzone.php.com's error handling over at www.onphp5.com [1].

Perhaps you should implement Security Tip #2 yourself before telling the world it's a good idea ;)

[1] http://www.onphp5.com/article/19

AHHH NOTHING LIKE BEING HOISTED BY YOUR OWN PETARD

12:45PM PST · Cal Evans (editor)

Yes, during our recent battles with hardware an MySQL it did come to light that we had left this on instead of writing them out to the log file.

Consider us busted. :)

=C=

Monday, April 16, 2007

FRENCH TRANSLATION

11:33PM PDT · neovov

I've made a French translation, available here : http://blog.neovov.com/index.php?2007/04/16/157-securite-php-astuce-2