Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57211 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61002 invoked from network); 4 Jan 2012 20:59:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 20:59:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.214.170 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:47112] helo=mail-tul01m020-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 02/14-50667-9CDB40F4 for ; Wed, 04 Jan 2012 15:59:55 -0500 Received: by obcwo10 with SMTP id wo10so15194292obc.29 for ; Wed, 04 Jan 2012 12:59:51 -0800 (PST) Received: by 10.50.195.135 with SMTP id ie7mr68456886igc.6.1325710791422; Wed, 04 Jan 2012 12:59:51 -0800 (PST) Received: from [192.168.200.5] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225]) by mx.google.com with ESMTPS id r18sm193209811ibh.4.2012.01.04.12.59.49 (version=SSLv3 cipher=OTHER); Wed, 04 Jan 2012 12:59:50 -0800 (PST) Sender: Rasmus Lerdorf Message-ID: <4F04BDC5.2030507@php.net> Date: Wed, 04 Jan 2012 12:59:49 -0800 Organization: PHP Development Team User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: =?UTF-8?B?Sm9oYW5uZXMgU2NobMO8dGVy?= CC: Stas Malyshev , Nikita Popov , Ferenc Kovacs , Laruence , PHP Internals References: <4F048A03.4070408@sugarcrm.com> <4F04A172.7080509@sugarcrm.com> <4F04AA8E.6020701@sugarcrm.com> <4F04AD6D.80608@php.net> <4F04B071.8080102@php.net> <4F04B69C.10102@sugarcrm.com> <1325710009.1926.78.camel@guybrush> In-Reply-To: <1325710009.1926.78.camel@guybrush> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: rasmus@php.net (Rasmus Lerdorf) On 01/04/2012 12:46 PM, Johannes Schlüter wrote: > On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote: >> Hi! >> >>> But there is a very valid security concern here. People can usually run >>> safely with display_errors enabled if their code is well-written. They >> >> Oh no. Nobody should or can safely run production with display_errors. >> Everybody thinks their code is well-written, but display_errors should >> never be enabled in production, however high is your opinion of the code. >> I'm afraid people now will start quoting this saying "ok, yeah, if >> you're a bad programmer, disable display_errors, but I'm a good >> programmer, my code is solid, I even have a dozen of unit tests, so I >> just go ahead and enable display_errors" and then we have this sad state >> of affairs where sites spill out error messages that are never supposed >> to be seen by clients because developers thought it can never happen. > > On shared hosts display_errors typically is on, but the application can > do ini_set('display_errors', 0) or such ... But that is precisely why this is a special case. Even if you do ini_set('display_errors', 0) in your code this message will still be displayed. Although, display_startup_errors is off by default and hopefully this one falls under that setting. I didn't test it, but if it doesn't then we need to make sure it is suppressed when display_startup_errors is off. -Rasmus