Error Reporting

Every developer makes mistakes, and PHP's error reporting features can help you identify and locate these mistakes. However, the detailed information that PHP provides can be displayed to a malicious attacker, and this is undesirable. It is important to make sure that this information is never shown to the general public. This is as simple as setting display_errors to Off. Of course, you want to be notified of errors, so you should set log_errors to On and indicate the desired location of the log with error_log.

Because the level of error reporting can cause some errors to be hidden, you should turn up PHP's default error_reporting setting to at least E_ALL (E_ALL | E_STRICT is the highest setting, offering suggestions for forward compatibility, such as deprecation notices).

All error-reporting behavior can be modified at any level, so if you are on a shared host or are otherwise unable to make changes to files such as php.ini, httpd.conf, or .htaccess, you can implement these recommendations with code similar to the following:

<?php

ini_set('error_reporting', E_ALL | E_STRICT);

ini_set('display_errors', 'Off');

ini_set('log_errors', 'On');

ini_set('error_log', '/usr/local/apache/logs/error_log');

?>

PHP also allows you to handle your own errors with the set_error_handler( ) function:

<?php

set_error_handler('my_error_handler');

?>

This allows you to define your own function (my_error_handler( )) to handle errors; the following is an example implementation:

<?php

function my_error_handler($number, $string, $file, $line, $context)

{

$error = "= == == == ==\nPHP ERROR\n= == == == ==\n";

$error .= "Number: [$number]\n";

$error .= "String: [$string]\n";

$error .= "File: [$file]\n";

$error .= "Line: [$line]\n";

$error .= "Context:\n" . print_r($context, TRUE) . "\n\n";

error_log($error, 3, '/usr/local/apache/logs/error_log');

}

?>