Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57206 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54441 invoked from network); 4 Jan 2012 20:49:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 20:49:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=hello@apfelbox.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=hello@apfelbox.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain apfelbox.net from 83.169.28.40 cause and error) X-PHP-List-Original-Sender: hello@apfelbox.net X-Host-Fingerprint: 83.169.28.40 vwp5063.webpack.hosteurope.de Received: from [83.169.28.40] ([83.169.28.40:37428] helo=vwp5063.webpack.hosteurope.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AD/82-50667-75BB40F4 for ; Wed, 04 Jan 2012 15:49:28 -0500 Received: from stgt-5f72a168.pool.mediaways.net ([95.114.161.104] helo=[192.168.1.59]); authenticated by vwp5063.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1RiXlz-0001Ls-DW; Wed, 04 Jan 2012 21:49:23 +0100 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_026E1424-7C69-442A-B302-71BD5CEA77A5"; protocol="application/pgp-signature"; micalg=pgp-sha1 In-Reply-To: <1325710009.1926.78.camel@guybrush> Date: Wed, 4 Jan 2012 21:49:21 +0100 Cc: Stas Malyshev , Rasmus Lerdorf , Nikita Popov , Ferenc Kovacs , Laruence , PHP Internals Message-ID: <2AE5EDCA-A473-4CD3-88CB-6BA64959894C@apfelbox.net> References: <4F048A03.4070408@sugarcrm.com> <4F04A172.7080509@sugarcrm.com> <4F04AA8E.6020701@sugarcrm.com> <4F04AD6D.80608@php.net> <4F04B071.8080102@php.net> <4F04B69C.10102@sugarcrm.com> <1325710009.1926.78.camel@guybrush> To: =?iso-8859-1?Q?Johannes_Schl=FCter?= X-Mailer: Apple Mail (2.1251.1) X-bounce-key: webpack.hosteurope.de;hello@apfelbox.net;1325710168;6c9fafb9; Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: hello@apfelbox.net (Jannik Zschiesche) --Apple-Mail=_026E1424-7C69-442A-B302-71BD5CEA77A5 Content-Type: multipart/alternative; boundary="Apple-Mail=_376DA514-C250-48D9-8F07-82078DDED59C" --Apple-Mail=_376DA514-C250-48D9-8F07-82078DDED59C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Hi Johannes, as far as I understood the issue, this error would be triggered before = the application's code is executed, so that would not solve this issue. Cheers Jannik Am 04.01.2012 um 21:46 schrieb Johannes Schl=FCter: > On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote: >> Hi! >>=20 >>> But there is a very valid security concern here. People can usually = run >>> safely with display_errors enabled if their code is well-written. = They >>=20 >> Oh no. Nobody should or can safely run production with = display_errors.=20 >> Everybody thinks their code is well-written, but display_errors = should=20 >> never be enabled in production, however high is your opinion of the = code. >> I'm afraid people now will start quoting this saying "ok, yeah, if=20 >> you're a bad programmer, disable display_errors, but I'm a good=20 >> programmer, my code is solid, I even have a dozen of unit tests, so I=20= >> just go ahead and enable display_errors" and then we have this sad = state=20 >> of affairs where sites spill out error messages that are never = supposed=20 >> to be seen by clients because developers thought it can never happen. >=20 > On shared hosts display_errors typically is on, but the application = can > do ini_set('display_errors', 0) or such ... >=20 > johannes >=20 >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20 >=20 --Apple-Mail=_376DA514-C250-48D9-8F07-82078DDED59C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Hi = Johannes,

as far as I understood the issue, this = error would be triggered before the application's code is executed, so = that would not solve this issue.



Cheers
Jannik
=

Am 04.01.2012 um 21:46 schrieb Johannes Schl=FCter:
On = Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote:
Hi!

But there is a very valid security concern here. People = can usually run
safely with display_errors = enabled if their code is well-written. = They

Oh no. Nobody = should or can safely run production with display_errors. =
Everybody thinks their code = is well-written, but display_errors should
never be enabled in production, however high is your = opinion of the code.
I'm = afraid people now will start quoting this saying "ok, yeah, if =
you're a bad programmer, = disable display_errors, but I'm a good
programmer, my code is solid, I even have a dozen of unit = tests, so I
just go ahead and = enable display_errors" and then we have this sad state =
of affairs where sites spill = out error messages that are never supposed
to be seen by clients because developers thought it can = never happen.

On shared hosts display_errors = typically is on, but the application can
do ini_set('display_errors', = 0) or such ...

johannes


--
PHP Internals - PHP = Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
=


= --Apple-Mail=_376DA514-C250-48D9-8F07-82078DDED59C-- --Apple-Mail=_026E1424-7C69-442A-B302-71BD5CEA77A5 Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPBLtSAAoJEK//wqECNx3L8bAH+QFqz0kWGDU1xYH2oeiABDcB uJORUDWlRHuyOx6ad3vGYUaj7T97+3cqLDfpdXuVQUfhfyH8HkeTosWgVpf4bq3d xMgSpTjvm0QCR1TbrvpSYQVfCss0Tgf2HM2QjYEhVFIMeAMEMl+/2btRjsiyWwaJ 64w2Y2lgdS90XBogRo2xKNYregfDVlBAZH0dh0lSM7/KyWljuEfILTup3zpE1ol6 YkaQdYutvDpzuHbwufURIRP+ShkYt6VbW2o9SL76nxPBWUt/tHiTTc3wrbTFJwfL UtJSQVUhZN3LTZ8EvmyhEibY9AD4IhcOyhC3PKcJmxoIDRqD2LNURsR/b8Q9lpM= =qmsy -----END PGP SIGNATURE----- --Apple-Mail=_026E1424-7C69-442A-B302-71BD5CEA77A5--