On 01/04/2012 11:54 AM, Nikita Popov wrote: > On Wed, Jan 4, 2012 at 8:50 PM, Rasmus Lerdorf <ras...@php.net> wrote: >> Since it is one of these remotely-triggered errors that you can't >> program around, it should probably be suppressed when display_errors is >> on. There is another precedence for this, but I am drawing a blank on >> where else we did this right now. >> >> -Rasmus > You mean like with htmlspecialchars() before PHP 5.4? Please don't. > It's really non-obvious to start hiding errors as soon as you enable > error display.
But there is a very valid security concern here. People can usually run safely with display_errors enabled if their code is well-written. They can check for potential errors and avoid them. This one can't be checked for and you could easily write a scanner that scoured the Net for sites with display_errors enabled by sending a relatively short POST request to each one and checking for this error. And there is absolutely nothing people could do about this short of turning off display_errors which we know from experience a lot of people just don't do no matter how much we suggest it. The alternative is to just not have any error message at all. That avoids the discrepancy between the error messages with display_errors on and off. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
