|
Protecting against unplanned information disclosure
Display of errors
.
- php.ini setting display_errors
- Display errors should be ON for development
- Display errors should be OFF for production
Error handling
.
- Use if statements to anticipate error conditions
- Use "ternary" operator to test and set defaults
- Use set_error_handler() for custom error handling
- Also: debug_print_backtrace()
Error reporting and logging
.
- error_reporting() php.ini parameter should be set to maximum
- Use error_log() to log your own errors
Exception handling
.
- Use try/catch blocks to trap exceptions
- Custom exception classes extend Exception
- Use set_exception_handler() for custom error handling
Improving code efficiency
.
- Tight code produces fewer accidental disclosures
- IDEs will highlight certain errors
- Command line: php -l filename and php -f filename
- PHP_CodeSniffer.
|
|