Jump to content

Terminating script on a caught exception

mikesta707

By mikesta707
in PHP Coding Help

 Share

Recommended Posts

mikesta707 Member

mikesta707

Posted
Posted

I have read somewhere (I think in these forums) that using things like die and exit can cause vulnerabilities in your scripts, and it is best to handle errors via exception handling. Well I wrote a very simple exception handler for a class I am writing, which is below

//custon exception class
class qaExceptions extends Exception {
public function error(){
	$errorMsg = 'Error on line '.$this->getLine().' in '.$this->getFile()
	.': <b>'.$this->getMessage().'</b>';
	return $errorMsg;
}
}//end custom exceptions class

 

I understand that I probably could have used the standard exception class with the same results, but I plan to add more things to this class once I grasp the basics of exception handling.

 

My question is, even though I have this exception handler, I want my script to completely stop every time an exception is caught. Right now, I still use the exit() function to quit the script after the exception is caught, because the script will continue to run, but still echo the error message. Is this the only way to terminate the script (I can't imagine that it is), and if so are there any vulnerabilities or other bad things I should be aware of with this method?

 

A typical try-catch block that I use would look like the following:

try {
		if ($this->data == null || !is_array($this->data)){
			throw new qaExceptions($this->errors['INVALID_DATA_TYPE']);
		}
	}
	catch (qaExceptions $e){
		echo $e->error();
		exit();
	}

Am I going about this correctly?

 

Also, why exactly are functions like die and exit not best to use when error handling? Any info or links would be greatly appreciated. I have read a few tutorials on this topic, but I can't seem to grasp the logic behind exception handling

ignace Advanced Member

ignace

Posted
Posted
Also, why exactly are functions like die and exit not best to use when error handling?

 

Consider you are a layman visiting a website. You click on some links and suddenly this pops up:

 

You have an error in your query near 'LIKE %someProduct% LIMIT 30'

 

You - the layman - are surprised and wondering what your next step should be all it says is something he doesn't even understand? He thinks maybe I should check out the competition and buy my stuff there as they tend to refer him to a nice 404 page with a clear message what happened and steps he can take from that point on.

 

Instead use a combination of set_error_handler() and trigger_error() (.. or trigger_error('..') if you like). This will allow you to handle the error (log it to a db or something) and refer the user to a (static) page that give him some advice on what happened and what he can do next? (search, ..)

 

The advantage between exception handling and the use of exit() (or die()) is that when you call the latter the execution of your script ends abruptly (the message you enclose within it and any output in the buffer is send to the browser and possibly breaks your page) leaving you no options to handle it properly.

mikesta707 Member

mikesta707

Posted
  • Author
Posted

Ahh I see, Thank you. This clears things up quite a bit. Besides the turning away users like the plague, are there any other concerns, security wise most importantly, that I should be aware of?

 

I shall check out those functions you posted posthaste! thank you again

ignace Advanced Member

ignace

Posted
Posted

are there any other concerns, security wise most importantly, that I should be aware of?

 

exit() and die() are considered bad practices because at no point should your application output technical information about your system to the end-user. Another reason you should at no point display technical information is because hackers will use this information to gain control over your application/server.

mikesta707 Member

mikesta707

Posted
  • Author
Posted

Hmm interesting. Do exit() and die() show technical information even if you don't tell it to?

 

so for example

die();

and 

die("OH GOD");

 

would either of those show any information that I am not aware of. I was under the impression that unless I defined a string to output, It would just terminate. If so, where is this information accessible?

 

ignace Advanced Member

ignace

Posted
Posted

Do exit() and die() show technical information even if you don't tell it to?

 

Oh so you always write:

 

$query = mysql_query('..') or die();

 

Oh yeah sure that is helpfull.

 

While having this in your signature:

 

addor die(mysql_error()); to the end of all mysql queries while Debugging. Prevents headaches.

 

Read: http://www.phpfreaks.com/blog/or-die-must-die

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.