PHP-Security - Exception questions

I have never really "got" the exceptions but I am trying to learn them Now..

I am querying a webservice which returns an exception called "ErrorException" when trying to use its login method.. so am i "correct" in using this approach:




[/php]

Hi,

we had a similary discussion just yesterday.

No, it's not correct. Internal error messages are meant for the developers, not the end users. Your users don't need to see your internal bug reports -- in fact, they must not see them, because this could give them critical information and allow them to run specific attacks on your website.

So this whole die($error->getMessage()) is generally nonsense -- I wonder why it's so popular.

When you only display the message, you also lose important info like where the exception occured and which function calls lead to it.

The question is: Why do you even want to catch the exception at that point? Just to write "Connection error:" in front of it? That's kind of pointless.

Only catch an exception if you actually wanna do something with it -- like retrying the action, using a fallback route etc. Otherwise, just let it "bubble up". On the top level (the PHP script called by your webserver), catch all exceptions, write the important data (message, stack trace etc.) into a log file, send a 500 status code and display some generic error message like "An internal error has occured. Our staff is working hard on fixing it. We are so sorry..." yada yada yada.

Since we're on the topic of the die statement, I just wanted to know anyone's thoughts on the following:



I seen this from a book that I'm currently reading "Beginning PHP 5.3" and no that isn't a typo for echo is written instead of die. I'm suspecting this isn't as bad as using die, my reasoning (which I'm probably wrong) is the echo doesn't stop the script like die does? Though even then I don't see the purpose of the displaying it, for if it doesn't work it doesn't work.

Jacques: funnily enough i have seen that topic/discussion.

Apologies if i wasnt clear, the main "thing" i wanted to emphasise was the:

catch (ErrorException $e)

part.. i.e. i often get confused what should be put in here so if a webservice returns ErrorException should i put that into the ( ) ..

Also you are right, i am NOT going to display anything to user.. If an error occured, i will "log" it..

Yes, you should always catch the specific exception you expect from that bit of code. You can also catch different exceptions in different catch blocks.

But like I said: There's no point in catching an exception if there's nothing you wanna do with it. Logging is done on the top level. It would be insane to repeat the same logging code thousand times for every piece of that that might throw an exception.

---------------



It's true that it doesn't stop the script, and that makes it even worse. The script will keep on running until it crashes at the next query with some weird error message talking about a "non-object".

The problem is that many PHP programmers -- obviously even the ones who write books -- aren't familiar with exceptions at all. Exceptions are pretty "new" in PHP, they were only added in 2004. I have the feeling that people somehow try to do the same (bad) things with exceptions like they did with the old error system they're more familiar with.

This ... die($error->getMessage()) reminds me of the equally bad ... or die(show_the_error_message()) often seen in old code.

Just to continue the useful/uselessness discussion from yesterday. Perhaps, I should have done this to make it clear what the objective was.

OK, now it's no longer dangerous, but it still makes no sense.

I mean, do you want to repeat this try-catch block on every single line of your code? Because I'm pretty sure you wanna track all exceptions and not just this particular one (if not, what happens with the others?).

If you want to specify a global exception handler, make a global try-catch block wrapping all code as explained above:


You can do the same thing more elegantly with set_exception_handler. Also have a look at set_error_handler, because this will also fetch the old errors.

jacques.. .can you give me an example of a top level exception handler thing you are on about? because I *see* what you are trying to say.. instead of repeating.. just have it once and that makes lot of sense.. would i do: (from googling)



or multiple try and one catch :s

When you've set the exception handler, it will catch all previously uncaught exception, so you don't need any other try-catch blocks -- unless, of course, you want to handle a specific exception differently.



Unfortunately, PHP uses three different ways of indicating bugs: return values, errors and exceptions (exceptions are also errors). So you're probably better off using set_error_handler() to catch all errors (including exceptions).

Note, however, that this completely overrides the default behaviour for errors, so you have to call die() manually to get back the original behaviour. A custom error also can't catch all errors, so you still need to turn display_errors off in your php.ini to prevent the leaking of error messages.

And the return values of course require extra handiwork.

Yeah, PHP is a mess.

The first part (ErrorException) is the name of a PHP class. Exceptions are objects, and as such, they have a class type. $e is just the name of a variable to assign the exception to; you can arbitrarily define this.

The exception will only be caught by that catch block if the type of the exception object is an 'instanceof' of the class defined in the catch block.

For example, catch(Exception $ex) will catch all exceptions, because all exception classes extend the Exception class.

catch(ErrorException $ex) will only catch exceptions of the type ErrorException or subclasses of ErrorException. It would not catch a PDOException for example.

When you throw an exception you are throwing an object. Usually this is reduced to: throw new ErrorException();

But you could just as easily do:




It's popular because when you're writing a tutorial or documentation you want to get rid of as much irrelevant code as possible to avoid using more of the readers' time than necessary. If I'm writing documentation for a webservice with a login method that throws an ErrorException method, it's not relevant to the login() method how the end-user's application handles errors at a global level. Plus, there are dozens of ways of handling errors, and as the documentation writer I have no idea which method a person may be using. Even if I do give an example of global error handling in my documentation code samples, it's going to be useless noise to 90% of the readers.


Alternatively, you can use an error handler to convert normal errors into exceptions.

Yes, that's why the tutorials writers shouldn't catch the exception at all. It's totally useless in this context and gives people the false impression that somehow every new PDO must be wrapped in a try-catch block and that error handling consists of echoing the internal error message on the website (which exceptions do by default, anyway).

And to be honest: I don't think all those tutorial writers have put as many thoughts into this as you do. They just copy and paste their stuff from someone who has copied and pasted their stuff from someone who has copied and pasted their stuff from someone ... And nobody ever thinks it through.

It's the same reason why people use


By the way, the intelligent tutorials actually do get it right:



Doesn't that wrap it up pretty well?