On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote: > Hi! > > > But there is a very valid security concern here. People can usually run > > safely with display_errors enabled if their code is well-written. They > > Oh no. Nobody should or can safely run production with display_errors. > Everybody thinks their code is well-written, but display_errors should > never be enabled in production, however high is your opinion of the code. > I'm afraid people now will start quoting this saying "ok, yeah, if > you're a bad programmer, disable display_errors, but I'm a good > programmer, my code is solid, I even have a dozen of unit tests, so I > just go ahead and enable display_errors" and then we have this sad state > of affairs where sites spill out error messages that are never supposed > to be seen by clients because developers thought it can never happen.
On shared hosts display_errors typically is on, but the application can do ini_set('display_errors', 0) or such ... johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php