PHP Security


When you are working on your PHP scripts you need to have error reporting turned on so that you can easily tell what errors are occurring to cause your page t not work so you can fix the errors. When you load the script to your live site you don't want to have error reporting on as that would provide clues to someone trying to break into the server. You still want access to those messages in case there are further errors that you overlook.

This is where the error_log file comes in as those errors that were displayed on your test server and not displayed on your live server get added to the error_log file so that you can see them at a later time but the person who was trying to view the page when the error occurred can't. All error, warning and even notices get written to this file whenever they occur when your scripts are run.

Now obviously you want to have fixed all the actual errors before the site goes live but sometimes one will slip through and the error_log file will tell you about it. The error may have happened because your files on the live server have got out of sync with one file update not having been applied - so that you get the error on the live site but not the test one.

Knowing about the warnings and notices is also useful as they generally indicate that your page is not coded the best way and that the code may stop working in the future when support for a command you are using is eventually removed.

Another way in which error_log is useful is if you find that your pages are accessed in ways that you didn't expect and the validation or sanitizing you have at the top of the page is not covering all situations. You may be assuming that a particular variable is always passed to the page but there are ways to access the page that don't pass that variable.

Overall this is an extremely useful file to monitor as it gives you a good indication of the health of your site. The fewer messages written to the file the better your site is at handling everything your visitors can throw at it. Ideally the file will not even exist because there will never be a need to record any information about problems with your code.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow