Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57205
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53104 invoked from network); 4 Jan 2012 20:46:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jan 2012 20:46:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 config.schlueters.de  
Received: from [217.114.211.66] ([217.114.211.66:42866] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 91/42-50667-EBAB40F4 for <internals@lists.php.net>; Wed, 04 Jan 2012 15:46:55 -0500
Received: from [192.168.2.230] (ppp-88-217-74-160.dynamic.mnet-online.de [88.217.74.160])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id EC68E5FD0E;
	Wed,  4 Jan 2012 21:46:50 +0100 (CET)
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Rasmus Lerdorf <rasmus@php.net>, Nikita Popov
 <nikita.ppv@googlemail.com>,  Ferenc Kovacs <tyra3l@gmail.com>, Laruence
 <laruence@php.net>, PHP Internals <internals@lists.php.net>
In-Reply-To: <4F04B69C.10102@sugarcrm.com>
References:
	 <CABBJUpc7T2QZm8QiitQ0wZ5RsY=3Jwy_UERSvLT9unNYtJ1mZA@mail.gmail.com>
	 <CABBJUpcVkYwU4zN0dG2b+jYkppnY9HR8wm7FV0tnmGt6ky5wQg@mail.gmail.com>
	 <CABBJUpeN4iJ6mVUKEEz8qxY25zxTmwg8EigpsmxnZGz5xshMhw@mail.gmail.com>
	 <4F048A03.4070408@sugarcrm.com>
	 <CAH-PCH69gV88qnQ7OHhGHSt70oD7f9Z_HCFD7dfW6SmBR6z2tQ@mail.gmail.com>
	 <4F04A172.7080509@sugarcrm.com>
	 <CAH-PCH5BUsrXKLtk6JWCOA8d5+2DxSke3UAnbBraJyGP-YnQnA@mail.gmail.com>
	 <4F04AA8E.6020701@sugarcrm.com>
	 <CAH-PCH6YH3ZxH5XzEm6+gsikaHjyL-pdHyAs=OnFhWqHk0CctQ@mail.gmail.com>
	 <4F04AD6D.80608@php.net>
	 <CAF+90c-6XrWJnL4vOQjjPm=N=fWrMy31wHOeXGccv+KRq5DrVw@mail.gmail.com>
	 <4F04B071.8080102@php.net>  <4F04B69C.10102@sugarcrm.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 04 Jan 2012 21:46:49 +0100
Message-ID: <1325710009.1926.78.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: another fix for max_input_vars.
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote:
> Hi!
> 
> > But there is a very valid security concern here. People can usually run
> > safely with display_errors enabled if their code is well-written. They
> 
> Oh no. Nobody should or can safely run production with display_errors. 
> Everybody thinks their code is well-written, but display_errors should 
> never be enabled in production, however high is your opinion of the code.
> I'm afraid people now will start quoting this saying "ok, yeah, if 
> you're a bad programmer, disable display_errors, but I'm a good 
> programmer, my code is solid, I even have a dozen of unit tests, so I 
> just go ahead and enable display_errors" and then we have this sad state 
> of affairs where sites spill out error messages that are never supposed 
> to be seen by clients because developers thought it can never happen.

On shared hosts display_errors typically is on, but the application can
do ini_set('display_errors', 0) or such ...

johannes