Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105895
Return-Path: <narf@devilix.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48930 invoked from network); 13 Jun 2019 14:51:52 -0000
Received: from unknown (HELO mail-wr1-f50.google.com) (209.85.221.50)
  by pb1.pair.com with SMTP; 13 Jun 2019 14:51:52 -0000
Received: by mail-wr1-f50.google.com with SMTP id k11so2313307wrl.1
        for <internals@lists.php.net>; Thu, 13 Jun 2019 05:05:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=4Ip+xThLn0xRfLBst+W4wVG21LqnjTjT88nBV/ffYhs=;
        b=vdO0z82q1UIydIZAjZNHkTE5XgCr0NxSC3YDDEkRVEYLjJSh/XzY4tJJ5rBvk8THuf
         T4KfjKEZGm+MUDJ/Yh5TNGQtX0uLfUA69xLWpXueFmgKgxoUiz7YGV183tLfL9WsHtoZ
         zGYLoKSOAadcHS59qcOK/X32ngCtyHnOaxU2o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=4Ip+xThLn0xRfLBst+W4wVG21LqnjTjT88nBV/ffYhs=;
        b=nf9w7lLTiQf7rgll9fWZ6coK5jWQsxUelIkp0LRVU/Ipma4w9Cm5WoC3A2pnW4Ah19
         tnS6zR1R9P8wjYNWlseRO9cFQNP2e5Ee6WGIznWbzz7VKAJzABTJqFLpmAWvF3hfGvIR
         wFI0xnY3RWQj8oh4lfIieu3ypFLYfhW2qrtb3m6UANHFMfFyGsH4EsqX0ta5JSxCk3R8
         HrO9hOmVVVkVz4ofupzErQTS4cAyQ8lpapyTaF/weDyIEqrUAtHm1aij3Frx+Z8TnWmJ
         queaMrB0KA5T4wpAFwybfBJz/9RBAuN1Ql0yjFzSx4AdR7IC9XMw+AQmY83/o+4fjrfM
         8Q+g==
X-Gm-Message-State: APjAAAXGHJq+c9fmJeqtLz1GuJKz4F4G+PMvrtx0v4Sh+ixR1wdkPCwG
	REu6Mb0xE3RtkJuRXnUEV/V6ESeUm7lApzzeHp/2Pd3JRr4mzw==
X-Google-Smtp-Source: APXvYqwBHRcLp5BqwED/WTyHVH5GmCZVgW6kFO/XdSBt3BsaqwD0MJlOivUgjQeKCeauu97Hrr7yjlWZ1LPFuSnbzbc=
X-Received: by 2002:a5d:4886:: with SMTP id g6mr7386033wrq.108.1560427499836;
 Thu, 13 Jun 2019 05:04:59 -0700 (PDT)
MIME-Version: 1.0
References: <dabdf489-0d4a-5be9-8858-83448dfd5d9a@lsces.uk>
 <CAF+90c81XGOeWex+nxTT+qyprUocsJ0QbnhAcF7qMxQc0TUUSg@mail.gmail.com>
 <b33877b2-0dce-c06f-f3ea-9f33746879a2@heigl.org> <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
In-Reply-To: <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
Date: Thu, 13 Jun 2019 15:04:49 +0300
Message-ID: <CAPhkiZxupMS6W4U_+zzjWoxBXTFcf5YxGAVWy0eO-z3sLNuj5w@mail.gmail.com>
To: Lester Caine <lester@lsces.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] The real world ...
From: narf@devilix.net (Andrey Andreev)

Hi,

I too am in favor of a mechanism to strip out sensitive data from
error messages. But Lester, man, you have it all backwards ...

On Thu, Jun 13, 2019 at 11:37 AM Lester Caine <lester@lsces.uk> wrote:
>
> On 13/06/2019 08:55, Andreas Heigl wrote:
> >> display_errors=Off in production.
>
> Which give a white screen ... fine for security but useless for people
> using the site!
>

People using the site are not there to debug it. Whether they see a
white screen or an unhandled error that was never meant for them to
see, it's still bad user experience and of no use to anybody.

> Personally I STILL use display_errors=on and just make sure that
> sensitive information is not displayed in the stack. Most of the time it
> IS just the warnings one gets and clients can report them and see they
> are cleared ... so some sort of middle ground between off and on would
> be helpful?
>

You have logs to see the errors; relying on your users to report the
actual error messages to you is the worst way to do it.

Cheers,
Andrey.