PHP Error Handling & Reporting
Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions to be displayed to the public. Any error messages viewable by the public should be customised (confidential information stripped out) and made to look more user-friendly Information returned by mysql_error() and mysql_errno() functions may expose vulnerabilities of the server, providing a means of attacking it. In a production environment, scripts should be written to display a user friendly custom error message not revealing information about the PHP scripting engine or the MySQL database. A script can be included to write the error code and error message to a log file in a secure area (not in the public accessible folders)
Default error messages In this example an attempt is made to divide by 0 (impossible), and an error message appears when the script is parsed The error message exposes the location of the file in the server’s directory structure to visitors or potentially any hackers.
set_error_handler() function A customised error function creates a less intrusive error message and hides confidential information from potential hackers. The set_error_handler function is used to customise how error reporting occurs Screen output:
Error Reporting Level Setting the error reporting level to 0 switches error reporting off. In this example, dividing 3 by 0 is impossible and would normally throw an error. In this case the error reporting level is set to 0 so the error is not exposed The calculation does not take place.
What to do with error information? Save the error to a database or to a local text file Redirect the user to another page Provide a user-friendly customised error message to avoid putting people off the website Store the date/time of the error Write a script to errors to the web master Best Practices? Always avoid errors being displayed in the live environment (public) If errors occur in the script when run, make sure the errors are logged somewhere secure. Best practice is to avoid errors occurring in the first place
Form Validation Validate user input – this reduces the risk of being hacked. PHP scripts used to validate user input are server –side and more secure than JavaScript form validation scripts JavaScript can be turned off in the browser by the user, rendering JavaScript ineffective.
htmlspecialchars() The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms ">
File uploads To prevent the user uploading a file such as an executable or a file that could be a security risk, add an IF statement to validate user input. For example, restrict the user to uploading only GIF or JPG files. To use or, use the || characters.
Error Control Place in front of the variable name to tell server to ignor error if it occurs. E.g. if user user has not inputted their name on a form, the variable $name will not exist, so symbol ignors this.
.htaccess Use.htaccess to restrict folder access Username: alansebrill Password:journey Encrypted algorithm: alansebrill:$apr1$9.m5dEw/$CkD0Nwueiiv0JpmYbXlTr0