#1
  1. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,996
    Rep Power
    375

    Error logging etc - check if i got this right


    I have the following code set up with regards to showing/logging error:

    PHP Code:
    if ( strpos $_SERVER['SCRIPT_FILENAME'], "C:/Documents/" ) !== false ) {

        
    ini_set('display_errors''on');
        
    error_reporting E_ALL E_STRICT );
        
    ini_set 'log_errors');

    } elseif ( 
    strpos $_SERVER['SCRIPT_FILENAME'], "test" ) !== false ) {
        
        
    ini_set('display_errors''on');
        
    error_reporting E_ALL E_STRICT );
        
    ini_set 'log_errors');
        
    } else {  
    //live
        
        
    ini_set('display_errors''off');
        
    error_reporting E_ALL E_NOTICE);
        
    ini_set 'log_errors');
        

    Am i right in thinking log_errors, will just output errors to the logs directory by default? should i specify a specific directory or is the default ok?
  2. #2
  3. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    There's no need to change the default error log unless you really really want to.
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    this makes no sense.

    In general, you cannot change the error handling at runtime. The new settings will only apply to runtime errors which happen after the error_reporting() call. Anything before that (like a parse error) isn't affected and will use the settings from the php.ini.

    I'm also not sure about the purpose of those settings. In my opinion, the error reporting is a matter of the server configuration. On localhost, you configure your server for a test environment. On the live server, you set up a configuration for a live environment.

    Apart from that, there are technical issues:

    Your strpos() looks up the substring at any position. So /var/www/detestable/super_secret.php would also count as "test". And why do you have two if branches with the exact same content?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,996
    Rep Power
    375
    so what you are saying is do the same thing but use the php.ini settings?

    regarding two branches.. i had extra code which is different for each branch (which i omitted as it wasnt relevant)

    regarding the use of "test".. i am sorry, it is a username "so something_test" but i omitted the actual username).. the point was to distinguish one setting is for local, one for test and one for live.. (so what i am trying to do is, for local/test, turn on error reporting and for live turn on the logging)
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by paulh1983
    so what you are saying is do the same thing but use the php.ini settings?
    Yes.



    Originally Posted by paulh1983
    regarding the use of "test".. i am sorry, it is a username "so something_test" but i omitted the actual username).. the point was to distinguish one setting is for local, one for test and one for live.. (so what i am trying to do is, for local/test, turn on error reporting and for live turn on the logging)
    It's still the same problem: Your search completely disregards the structure of the path and simply looks for a substring anywhere in the path. I'd expect it to look for a folder or file with that name. Or at least a prefix/suffix.

    But like I said, I think the whole approach doesn't really make sense. At most, I'd introduce a TEST_MODE flag in the configuration. But that still wouldn't solve the problem of changing the error handling at runtime.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,996
    Rep Power
    375
    yes but if i set everything up in the ini settings, i wouldnt then need to do anything at run time.. no?

    because a username will not be repeated elsewhere, i am not going to have paths that go something like: /path/username/path/username.php.. that username is guaranteed to be unique..
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by paulh1983
    yes but if i set everything up in the ini settings, i wouldnt then need to do anything at run time.. no?
    You only use the php.ini -- or a .htaccess in case you need application-specific settings. You don't make runtime changes at all. Like I said, you cannot properly set the error handling at runtime.*



    Originally Posted by paulh1983
    because a username will not be repeated elsewhere, i am not going to have paths that go something like: /path/username/path/username.php.. that username is guaranteed to be unique..
    That's not the point. The problem is that the username might coincidentally appear as a substring in a completely different context. See my example above: "test" is included in "detestable". But the latter surely has nothing to do with a "test".

    Depending on the username, this risk might be very small. But it's still an incorrect approach.



    * For the sake of completeness: You could theoretically use auto_prepend_file to run a PHP script before the actual application. This script would load your configuration script and set the error reporting accordingly. But this is just weird.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo