Please turn display errors OFF

Production websites should not have big ugly php errors. If you leave display_errors on you are asking for trouble. Even worse is when this mistake is made on a site frequented by geeks of all flavors. PHP already has a "bad rap" for security (deserved or not).

The latest site to be a perpetrator of this problem? http://www.dilbert.com/ home of the great comic. (thanks to Pierre for pointing it out) But please, turn display_errors off and log them!

[photopress:wt4808a44ac4d31_thumb_large.jpg,thumb,pp_image] - here's a pretty look at the site, recorded for posterity by webthumb.

I like to set up "environments" in my applications that deal with things like display_errors and other ini settings that can be altered at runtime that I want changed depending on if I'm debugging, testing, or deploying the application.

What's your favorite PHP website error story?

Edit: I've found a couple of linkbacks saying things like "oh you shouldn't turn errors off you should fix them" - I think you missed the point. I'm not advocating turning ERRORS off, I'm saying on a production site don't be stupid and show them to the user - hence display_errors should be off (see, display_errors not error_reporting...errr duh). Log your errors people!

Comments

Philip Olson

Many official php.net mirrors leave display_errors on, and as you can imagine it's embarrassing when an error is committed to phpweb. One day here someone will mention this setting within php.net/mirroring although now that you raised the question I have a hunch we'll all talk about it and do something there soon... :)

2008-04-18 7:13 am

Balu

My favorite PHP website error story is about a hoster that disabled display_errors, did not log them (or at least didn't allow me to access those logs) and also forbid to change the setting myself.

Finding a bug that was not reproducable on a development machine was really fun this way.

2008-04-18 7:42 am

Pierre

My favorite error website was StudiVZ (a german Facebook clone) - some file couldn't be located, and the path it has been searched for was "/var/www/clone/facebook" ... great deal!

2008-04-18 9:56 am

Joe Stagner

Since you fired Gmail - please email me about the Windows Build Team :)

2008-05-27 2:58 am

Phil

If you're that torn up about seeing the php errors, why not try writing php without errors in it?

2008-06-13 2:07 am

auroraeosrose

I think Phil, that you completely missed the point - this is about security and leaking information, not "PHP without errors"

2008-06-13 4:20 am

Post a Reply