Is error_reporting(0) same as ini_set('display_errors', 0)? If not, what is the difference?
I'm also interested in security side of this code? Can I achieve 'so malicious users can't probe' with this?
-
1The only difference is this: "Although display_errors may be set at runtime (with ini_set()), it won't have any affect if the script has fatal errors. This is because the desired runtime action does not get executed.".Amal– Amal2014-05-02 20:44:47 +00:00Commented May 2, 2014 at 20:44
-
1@AmalMurali - that's true of both functions. PHP files are parsed completely before any code in that file is executed, so any function you use to enable error reporting will not be executed if there are parse errors in the same file.Sam Dufel– Sam Dufel2014-05-02 20:49:42 +00:00Commented May 2, 2014 at 20:49
Add a comment
|
1 Answer
They are NOT the same, but in your use may have the same outcome.
error_reportingis the level of reporting, NONE through ALL. This determines what types of errors are reported (E_NOTICE, E_WARNING, E_ALL, etc..).display_errorsis whether to display those errors (output to browser, CLI, etc...) that are reported from 1.
If you set error_reporting(E_ALL) and ini_set('display_errors', '0') you can still get all errors reported in the log file but not displayed.
With error_reporting(0) you don't get any errors displayed or in the log and it doesn't matter the values of display_errors.
display_errors should be off in your production applications, preferably in php.ini so that information such as file paths, database names and usernames are not shown. Error reporting sent to the log is beneficial and should not be a security concern.
2 Comments
mgulan
Can I acchive this security task with them?
AbraCadaver
You want
display_errors off in your app or preferably php.ini. Error reporting sent to the log is beneficial and should not be a security concern.