On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote:
> Hi!
>
> > But there is a very valid security concern here. People can usually run
> > safely with display_errors enabled if their code is well-written. They
>
> Oh no. Nobody should or can safely run production with display_errors.
> Everybody thinks their code is well-written, but display_errors should
> never be enabled in production, however high is your opinion of the code.
> I'm afraid people now will start quoting this saying "ok, yeah, if
> you're a bad programmer, disable display_errors, but I'm a good
> programmer, my code is solid, I even have a dozen of unit tests, so I
> just go ahead and enable display_errors" and then we have this sad state
> of affairs where sites spill out error messages that are never supposed
> to be seen by clients because developers thought it can never happen.
On shared hosts display_errors typically is on, but the application can
do ini_set('display_errors', 0) or such ...
johannes
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
