Hide Php Errors

[mlex]

I was trying to disable them via .htaccess file(using php_flag), but quickly noticed I'm not the only one who tried it and this method is not allowed on HelioHost.

 

So, basically, how do I disable them? I couldn't find anything related to it on HelioNet

[wolstech]

Add this to the top of your PHP files (I recommend doing it in an include that's used by everything in your application, like a DB config file, so it only has to be done once):

<?php
error_reporting(0);
?>

[mlex]

Cool, wolstech, thanks!

 

But is it possible to enable only logging with this function?

[wolstech]

There's probably no way to do it, but you can test to see if the log still generates with this option set: See if an error_log file appears in your script's folder after there's an error. Then delete the log, add the error_reporting(0); and try it again.

 

Many of us prefer the errors shown anyway (you're actually the first in a long time to ask to turn them off), since it helps users report bugs in applications. Would you rather get an email saying "It doesn't work when I try to log in" or an email saying "I tried to log in but it gave me an error about some unexpected ')' on line 37"?

 

The latter is much a more useful report than the former in my opinion...

[mlex]

Yeah, I know about the error log file - I tested it and it didn't logged the error - that's why I was wondering if it's possible to enable logging with it, because with php_flag you actually can do this, but with this option I couldn't find a way.

 

It's very unsecure enabling them. It's way too easy to see your DB username and password.

[wolstech]

If that's the concern, just put @ in front of the connect statement line (e.g. @mysql_connect. (An @ prevents a single line from producing errors). I run numerous websites in production (several of which are hosted here), all have their errors publicly visible, and have never had an issue.

 

Also, I've never seen a password appear publicly as a result of a crashed/erroring DB server, something which, back when we had Stevie, was a very common occurrence. The errors just show usernames, usually dbuser@localhost. We do not consider usernames to be sensitive information (we ask people to post them all the time).

[mlex]

Oh, I'll check it out with the "@" sign. I'm kinda noobie in PHP, so I'm not aware of many things of it yet.

 

I've used PDO interface for the connection, but when I ran into some stupid error with DB connection, it gave me the whole line of connection code "as is", with hostname, db name, db username and... db password. I was kinda shocked by that, but when googled this out, I found out I'm not the only one.

 

As it seems, simply by flooding http or getting some typical errors with db may cause this kind of output, so everywhere it's suggested to disable php error output, but enable it in the logs, that what I was aiming to do as well.

[wolstech]

The regular mysqli library doesn't do that, it gives an error that doesn't include the actual line of code...can't speak to PDO, but if it really dos that, that's some poor design of PDO's errors.