Logging

From SecurePHPWiki
Jump to: navigation, search

For released software, errors should be logged instead of displayed in the browser. Error messages can help a malicious user find weak points in a script.

The following code will ensure that all non-fatal errors will be logged to a local file and not displayed in the browser. <? ini_set('log_errors',1); ini_set('error_log','./.ht_php_errors'); ini_set('display_errors',0); ?> The file should be kept in a place that is not web-accessible, or on Apache servers prefixed by ".ht"

For more information, check out php.net's error handling page.