Error Handling in PHP

At certain configuration settings, PHP may not issue error messages. For production web sites, I recommend to keep this feature disabled. An extra message for a hacker is an extra hint to a successful break-in. For example, a message informing of excessive parameters tells me that the script does not check for the number of parameter passed to it, so it may not do other checks either, for example, whether the system function is called the right way. We will talk about the dangers inherent to this function repeatedly in this book.

A system used for application development must issue messages for any errors; otherwise, it is more likely than not that you will miss some potential errors, and will not be able to understand why the script code is not performing the way you intend it to.

The error reporting feature is enabled by setting the error_reporting parameter in the php.ini file to E_ALL. Error messages may be issued when numerical data is compared with string data. For example, adding a command error_reporting (E_ALL) command at the beginning of the script in which we considered the print_max() function (see Section 2.8) will produce the following error when a number and string are compared:

Warning: Use of undefined constant sdf23 - assumed 'sdf23' in /var/www/html/1/functions1.php on line 25

The error_reporting function specifies the error reporting level. Specifying the E_ALL parameter will result in displaying all warning and error messages. Warnings and messages in a specific script can be disabled by placing the following code line at the beginning of the script:

error_reporting(E_ALL - (E_NOTICE + E_WARNING));

To change the error reporting level for the entire server, the value of the error_reporting parameter has to be edited in the php.ini file. This file also lists error reporting levels available.

Once again I remind you, that the error reporting feature should be disabled in production web sites. For example, a message indicating that scripts are susceptible to SQL Injection error issued on a production server makes the task of determining the database structure by hackers much easier.

If you system is configured to display all warnings and errors, and can prevent a certain function from displaying error messages by prepending the function with the @ character. For example, if the print() function is called as @print(), it will not display any warnings or error messages.