Please turn display errors OFF

Production websites should not have big ugly php errors. If you leave display_errors on you are asking for trouble. Even worse is when this mistake is made on a site frequented by geeks of all flavors. PHP already has a "bad rap" for security (deserved or not).

The latest site to be a perpetrator of this problem? home of the great comic. (thanks to Pierre for pointing it out) But please, turn display_errors off and log them!

[photopress:wt4808a44ac4d31_thumb_large.jpg,thumb,pp_image] - here's a pretty look at the site, recorded for posterity by webthumb.

I like to set up "environments" in my applications that deal with things like display_errors and other ini settings that can be altered at runtime that I want changed depending on if I'm debugging, testing, or deploying the application.

What's your favorite PHP website error story?

Edit: I've found a couple of linkbacks saying things like "oh you shouldn't turn errors off you should fix them" - I think you missed the point. I'm not advocating turning ERRORS off, I'm saying on a production site don't be stupid and show them to the user - hence display_errors should be off (see, display_errors not error_reporting...errr duh). Log your errors people!


Philip Olson

Many official mirrors leave display_errors on, and as you can imagine it's embarrassing when an error is committed to phpweb. One day here someone will mention this setting within although now that you raised the question I have a hunch we'll all talk about it and do something there soon... :)

2008-04-18 7:13 am


My favorite PHP website error story is about a hoster that disabled display_errors, did not log them (or at least didn't allow me to access those logs) and also forbid to change the setting myself.

Finding a bug that was not reproducable on a development machine was really fun this way.

2008-04-18 7:42 am


My favorite error website was StudiVZ (a german Facebook clone) - some file couldn't be located, and the path it has been searched for was "/var/www/clone/facebook" ... great deal!

2008-04-18 9:56 am

Joe Stagner

Since you fired Gmail - please email me about the Windows Build Team :)

2008-05-27 2:58 am


If you're that torn up about seeing the php errors, why not try writing php without errors in it?

2008-06-13 2:07 am


I think Phil, that you completely missed the point - this is about security and leaking information, not "PHP without errors"

2008-06-13 4:20 am

Post a Reply