Jump to content

Recommended Posts

Hi, everyone

 

Im under IIS 7.5 with latest php 5.3. We have a small hosting business.

 

error reporting is set as such: error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT &~E_DEPRECATED

 

The thing is, a PCI scan reveals that openbase reveals paths when PHP shows warning error.

 

I dont want to disable warning error, because if I do, for example, it wouldnt shown on screen SMTP relaying errors, where users try to setup forms that send out mail without authentication, which would make things very unclear.

 

Is there an easy way out? Can I hide PATHS in the php warnings?

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/277303-e_warning-and-paths-revealed/
Share on other sites

Thanks a lot for your reply. Yeah, I knew that, but the thing is as I explained, we recently started forcing SMTP AUTHentication in forms.

 

Without warning logging on screen in PHP, it seems to the user that the form was sent :( And it wanst. So keeping the errors ON would really help... We already have error messages via IIS (error pages set to custom error pages so it usually shows a generic 500 error and we have to set to Detailed to get clearer errors, just during troubleshooting).

 

But maybe youre right, I should keep keep logging to disk and have each one add code to their php pages from clearer errors (e_all, etc)... although it means of course a lot more support for me and getting simply blank pages in cases of things like relay error or openbase, making things harder...

 

But I guess its the way to go. No easy way to do what I originally asked, right? Remove paths from warning errors...

 

Thanks

The relevant setting is display_errors. That should most definitely be off. Opinions on error_reporting vary (I believe you should include all errors).

 

Development environments can do whatever they want: show errors on the page, log to a file, doesn't really matter so long as the developers can still get their work done. Production environments should not display them but log errors someplace, like a log file (as happens by default) or some reporting service. Because you should know when errors occur.

Thanks again. Im on Windows Server.

 

So I disabled display_errors (off) and set to only log errors. I had to disable display_errors also in the registry so both local and master value show off in php info.

 

But I found it would still reveal paths in WARNINGS such as Openbase errors, relay errors in forms...

 

So I set

 

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT &~E_DEPRECATED &~E_WARNING
 

Now the warnings are also not shown. Problem is that theyre not logged either, unless I add code to the specific page to show e_all... I guess its ok that way.

 

Just a pitty that for example sending mail via PEAR/PHP, its as if the form was sent althought it wasnt. And openbase errors also dont appear. I wish these appeared without paths.

 

Any extra ideas?

 

Thanks.

your script is likely turning display_errors back on. find and remove any ini_set statements for the display_errors setting. the only time error_reporting/display_errors statements should be in a script are for temporary debugging purposes.

 

you should be able to set and leave error_reporting at E_ALL in your php.ini.

Hi,

 

No... phpinfo clearly shows display errors is off... my script simply tries to send an email (relay out)... or access an invalid directory (to trigger openbase error). it doesnt do any messing around with ini_set or so...

 

I think actually what happens is display_errors is just for errors, not warnings.

 

So really besides disabling php errors I had to also do this

 

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT &~E_DEPRECATED &~E_WARNING

Does it look ok, am i missing anything?

 

So, I had to disable warnings. But then I dont get them logged...

 

But no problem, as adding code to show e_all in a specific user's php page does show all errors and warnings.

 

But you say I should be able to put E_ALL and set to only log, not display errors... How can I trigger some fatal error that would make sure it is working in terms of fatal errors?

Warnings Im certain I have to disable them explicitly.

 

Thanks.

the display_error and log_errors settings apply to any type of error that is being reported due to the error_reporting setting.

 

if display_errors are truly off in your php.ini and you are getting any of the of type of php error message (fatal, warning, or notice) being displayed, it means that either display_errors is not actually turned off of that your script is turning it back on.

 

the error_reporting setting determines what is reported. the display_errors/log_errors settings determine what happens to the report of those errors.

Thanks. But very strange, I tried a bit more, no luck. Any chance I can pay someone to help me via remote session? :)

Its PHP 5.3.22

 

Phpinfo shows clearly and I tested in several sites, display_errors is off. Both local and global, since its in my php.ini and also in windows registry disabling it. error_reporting shows value 30719

 

A simple code such as this

 

<?php
$email = "external@gmail.com";
$subject = "Test Message";
$msg = "This is a test message";

mail($email,$subject,$msg);

print "Mail sent to $email";

?>
 

Shows an error such as

 

Mail sent to external@gmail.comPHP Warning: mail() [function.mail]: SMTP server response: 550 5.7.1 <external@gmail.com>... we do not relay <php@server.com> in E:\sites\domain\www\test\testrelay2.php on line 6

 

Strangely php.log is not logging this although log to disk is enabled

 

It does log other things such a deprecated or notices

 

 PHP Notice:  Undefined property: JDocumentHTML::$baseurl in

 

PHP Deprecated:  Function ereg_replace() is deprecated in

 

Now if I change error_reporting to

 

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT &~E_DEPRECATED &~E_WARNING

 

Now on screen all I get is

 

Mail sent to external@gmail.com

 

Which BTW is untrue as it was rejected, but since warning doesnt show up, it doesnt show any error at all.

 

I guess Ill just keep it this way and users can easily get clearer error with ini_set...

 

Thanks again.

Now on screen all I get is

 

Mail sent to external@gmail.com

 

Which BTW is untrue as it was rejected, but since warning doesnt show up, it doesnt show any error at all.

Thats just due to poor coding. You never actually check the results returned from the mail function before displaying some "success" message.

Thanks.

 

Hmm but still that is shown that way only if I use

 

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT &~E_DEPRECATED &~E_WARNING

 

The main issue here is that, with error_reporting=E_ALL and display_errors = OFF, with the code I showed you above, it shows this error:

 

Mail sent to external@gmail.comPHP Warning: mail() [function.mail]: SMTP server response: 550 5.7.1 <external@gmail.com>... we do not relay <php@server.com> in E:\sites\domain\www\test\testrelay2.php on line 6

 

Thats whats strange. :(

 

Thanks

hmmm yes strange :( 2 web servers, windows, same thing. Can I abuse and send you a pvt msg with my php.ini contents? :)

I did find out that i need to disable display_errors=off in registry for windows, or else in phpinfo command it would show in the global column as if it was on. Now it shows both local and global value = OFF.

 

I guess ill just keep as is, at least I have it secure and if users create ini_set command in php page, he can get all details. not so bad, certainly better then it was.

 

Thanks!!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.