[SOLVED] some advice..is the @ symbol effective way to add security to your website

[cluce]

I just need some input from some php experts. I was using the @ symbol in my code and when I posted my code on here. Someone told me it was bad programming but when I did a google search on adding security to you php website. It was suggested to use @ to prevent the hacker from seeing your potential error in your website in the browser window.  can someone give me your opinon on this? or any ideas/tips on how to secure php wen pages?

[pocobueno1388]

From what I know the '@' symbol is just a way of suppressing errors. From the little I know about it, I would say it was bad programming unless you are trying to debug a script. You shouldn't have to put it there if there wasn't an error...so why use it, unless you don't want to fix the error, which is kinda ridiculous.

[per1os]

The @ system is just very poor programming. If you are in a production enviroment it is best to turn off the error reporting, that or create an error function and use that to report the syntax errors to your email and display a "nice" page to the user with little or vague information about the error encountered. Information on that can be found here:

 

http://www.phpfreaks.com/forums/index.php/topic,140239.0.html

 

www.php.net/set_error_handler

 

// error.inc.php

<?php
function error($errno, $errstr, $errfile, $errline, $errcontext) {
  echo 'There was an error on the page ' . $errno . '. Please report it to the site admin!';
}

$errorHandler = set_error_handler("error");
?>

 

//test.php

 

<?php
include('error.inc.php'); // include for error handling

echo "Testing me!!!

echo 'How about this test?';
?>

 

If not check the user contributions at the page posted above.

 

Best of luck.

[cluce]

well I am doing all my testing on my localhost.

[per1os]

Just remember, do not use the @ symbol, it will not add security, just supress errors. And if you are only working with localhost, why are you worried about security from error messages?

 

It is in a LIVE production enviroment you want to be worried about those, on localhost you want to see the errors so you can fix them. Use the above function with test production whatever you really feel like. Just don't use those stupid @ error surpressors.

[cluce]

thanks for you replies.

 

[btherl]

The others have given you 90% of the story, so here's the last 10% .. all rules can be broken.  But you can only break them when you understand them fully.  There ARE situtations in which using @ is the right thing to do.  I use it when dealing with functions that produce warnings for failure conditions that I am actually expecting to happen.  But those situations are very rare.