Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105889 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 91019 invoked from network); 13 Jun 2019 11:23:44 -0000 Received: from unknown (HELO anteater.elm.relay.mailchannels.net) (23.83.212.3) by pb1.pair.com with SMTP; 13 Jun 2019 11:23:44 -0000 X-Sender-Id: s0seqk11zu|x-authuser|lester@lsces.uk Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id E435B8C210D for ; Thu, 13 Jun 2019 08:36:49 +0000 (UTC) Received: from draco.thewebhostserver.com (100-96-87-96.trex.outbound.svc.cluster.local [100.96.87.96]) (Authenticated sender: s0seqk11zu) by relay.mailchannels.net (Postfix) with ESMTPA id A076C8C1E89 for ; Thu, 13 Jun 2019 08:36:48 +0000 (UTC) X-Sender-Id: s0seqk11zu|x-authuser|lester@lsces.uk Received: from draco.thewebhostserver.com ([TEMPUNAVAIL]. [185.38.44.226]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Thu, 13 Jun 2019 08:36:49 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: s0seqk11zu|x-authuser|lester@lsces.uk X-MailChannels-Auth-Id: s0seqk11zu X-Exultant-Wiry: 1cb06ed56d2a433a_1560415009532_1692524250 X-MC-Loop-Signature: 1560415009531:4063795153 X-MC-Ingress-Time: 1560415009531 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lsces.uk; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CEITpKMy1ckFgEU1T1Cn/071d2nk5c3J9L/MDp5J6Vk=; b=sZqcAIDKa8gXjIPoijhE6s9pAT tKBX00G2FXI3GP1glrL4Noe9KBlRg9XJBiviHeorRy0PY4cJItJ7ivw1Zl47zu0pQwt3XV+NaW39q ILKcH26oVT3GFjZdZinyyIIV6z7EIrq6xByOHCw/bu2Goi48POPCncncCQsYTvZv7NMLyRWuOzE3W n0PsS1vBOoynqztH1di0msulgsfoLP7TOuYO6a6s9ev6AnttV2vqorElOWTk3kpNEpzDgbhE+gEhs F46MG8bvUspuZn0477FgtYnvCmDbIaOP9mBplsMtg5xZQwcbJescjjMvdO9G2OJpeV+b6+TuksrGM MFtVdueA==; Received: from static-87-75-107-50.vodafonexdsl.co.uk ([87.75.107.50]:48270 helo=[10.0.0.7]) by draco.thewebhostserver.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1hbLDu-004I8G-Bo for internals@lists.php.net; Thu, 13 Jun 2019 09:36:42 +0100 To: internals@lists.php.net References: Message-ID: Date: Thu, 13 Jun 2019 09:36:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-thewebhostserver-MailScanner-Information: Please contact the ISP for more information X-thewebhostserver-MailScanner-ID: 1hbLDu-004I8G-Bo X-thewebhostserver-MailScanner: Found to be clean X-thewebhostserver-MailScanner-SpamCheck: X-thewebhostserver-MailScanner-From: lester@lsces.uk X-Spam-Status: No X-AuthUser: lester@lsces.uk Subject: Re: [PHP-DEV] The real world ... From: lester@lsces.uk (Lester Caine) On 13/06/2019 08:55, Andreas Heigl wrote: >> display_errors=Off in production. Which give a white screen ... fine for security but useless for people using the site! > While that makes absolute sense perhaps thinking whether there is a way > to mark password-parameters in core-functions and hide them in > Stack-traces might improve security as that would also hide > user-provided credentials in log-files. > That would not target userland methods/functions. Though having a > Core-Value-object for credentials might even allow*that* Sanitising things would be a nice to have especially where log files are on 'cloud' storage, but the ability to give an end user some indication that there is a problem WHILE display_errors=Off would be helpful? I know the white screen problem has been discussed many time over the years ... Personally I STILL use display_errors=on and just make sure that sensitive information is not displayed in the stack. Most of the time it IS just the warnings one gets and clients can report them and see they are cleared ... so some sort of middle ground between off and on would be helpful? -- Lester Caine - G8HFL ----------------------------- Contact - https://lsces.uk/wiki/Contact L.S.Caine Electronic Services - https://lsces.uk Model Engineers Digital Workshop - https://medw.uk Rainbow Digital Media - https://rainbowdigitalmedia.uk