Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105891
Return-Path: <ocramius@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23414 invoked from network); 13 Jun 2019 13:34:23 -0000
Received: from unknown (HELO mail-io1-f51.google.com) (209.85.166.51)
  by pb1.pair.com with SMTP; 13 Jun 2019 13:34:23 -0000
Received: by mail-io1-f51.google.com with SMTP id e5so15795635iok.4
        for <internals@lists.php.net>; Thu, 13 Jun 2019 03:47:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=4xL1b7GoFZQF6CEXZSPCxFgYM/99YUWoV0Wo6S6b/o4=;
        b=RlVC7F9yi6QIap8xcBKgSBmkEU3SlVVkNxWZWrd64mQO4la5PIl1Kxv+qzo8QYQ1xG
         sqFt3iQEdEato0kEPn+H4+jLEdduCZ3uzWcXlJaLMGGx2ppMpF3iOvfbQqd/N86QFBAs
         xt9XP7d1gzvPzPbu/xYgcvYk5GpmhYPeX2hiTaOqZ7WijM5+fXF4XbnNLvbMLaz6D+8s
         V/zvlIrl6i4vvOuTi5TlaYQpgZVKEwTAYG50xZj/nZuDn7/ZTr3r6S11sZyYL2N5m6g7
         Y5GRPCkxgdcqlT+Qv62jTapQZRFoqp9jsKEB72mE/wCeit4YLcy+5fOs5hKSt0/YAMQ0
         U3Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=4xL1b7GoFZQF6CEXZSPCxFgYM/99YUWoV0Wo6S6b/o4=;
        b=sYPntzgtpyUGboN8xnor4zJ8keMG31RACTNEz16Gt4KVETVp9sdsrztBsaEFnqIV94
         oemQIxhabkh4CYvvv7SjVc18Px2QANNx3UNxcsV9gM7UGWm2PYql+EwFgIpqkNmll+VO
         YLQA2JuYfjdQXjzcFLM5EDDovZgEyW/plD+S4Wga4yVlfkkN1ZVCwsonAArpyzKYFyx4
         b2tszMjpqJrLSU+2O9f896P6ZPz2TFPRXo09JWDzfcIXbzutwgZL7TVoeTN2w9zYEu5j
         fJRajLgbewxnbBBV+ef+28P39y6vCqlpPVeIXxpT5zY4s5IhNI8iV24ukEbR4l0uPJrj
         Ohfw==
X-Gm-Message-State: APjAAAXFxBl0qeR9xYjFn8PNB7aHIPptG0qzr1qK4xMQ6/9CHa73AF2Q
	mlQgkVGUbwpOfKqMGZBRioKZ+7zgaSuP0p7O/40=
X-Google-Smtp-Source: APXvYqyV6IiymgSVCRP8yskYGHVUsfuBEjIndvq91CAKe3Du6j8ORA5qrq9tFa3XCKb+rhS29XSjsSmcmkLQdw2hoL8=
X-Received: by 2002:a02:cc8e:: with SMTP id s14mr59420809jap.142.1560422850492;
 Thu, 13 Jun 2019 03:47:30 -0700 (PDT)
MIME-Version: 1.0
References: <dabdf489-0d4a-5be9-8858-83448dfd5d9a@lsces.uk>
 <CAF+90c81XGOeWex+nxTT+qyprUocsJ0QbnhAcF7qMxQc0TUUSg@mail.gmail.com>
 <b33877b2-0dce-c06f-f3ea-9f33746879a2@heigl.org> <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
In-Reply-To: <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
Date: Thu, 13 Jun 2019 12:47:18 +0200
Message-ID: <CADyq6sJqvc52GqAJs0WSPKrsPbj9oUvBd9WfLWAf8V8cTo4JaQ@mail.gmail.com>
To: Lester Caine <lester@lsces.uk>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000b3ffbd058b32414d"
Subject: Re: [PHP-DEV] The real world ...
From: ocramius@gmail.com (Marco Pivetta)

--000000000000b3ffbd058b32414d
Content-Type: text/plain; charset="UTF-8"

On Thu, Jun 13, 2019, 10:36 Lester Caine <lester@lsces.uk> wrote:

> On 13/06/2019 08:55, Andreas Heigl wrote:
> >> display_errors=Off in production.
>
> Which give a white screen ... fine for security but useless for people
> using the site!
>

Error logging is how this is to be approached.

Personally I STILL use display_errors=on and just make sure that
> sensitive information is not displayed in the stack. Most of the time it
> IS just the warnings one gets and clients can report them and see they
> are cleared ... so some sort of middle ground between off and on would
> be helpful?
>

Logging, logging, logging.

Displaying traces just gives malicious third parties a tasty data
exfiltration endpoint.

--000000000000b3ffbd058b32414d--