On Thu, 10 Apr 2025 at 23:20, Tim Düsterhus <t...@bastelstu.be> wrote:
> As I had said on GitHub before, but to put it onto the list for
> visibility:
>
> I'd rather see the value in `php.ini-production` being changed to `Off`
> to match the built-in default. see
> https://github.com/php/php-src/pull/18215#issuecomment-2768618516
Thanks Tim,
Can you please explain why you think the default should be to always
show arguments? I asked this question in the Pull Request too and
didn't really get a clear answer. I did try to address your concerns
in the RFC itself.
To summarise:
* you referenced a stackoverflow chat asking about the difference, and
noting that the defaults for production and development should
probably be standardised as much as possible;
* you noted that the correct solution would be to set `display_errors`
to Off; and
* you also noted that the framework's error handler should be properly
configured.
In response to these I have extended the RFC to cover making the
development INI file the same as the production INI and default value
by setting all of these to the 'On' value.
Regarding setting `display_errors` to Off, I do agree, but I feel that
this is a separate RFC. I've highlighted this as future scope in the
RFC and I've also noted that there is often still value in displaying
errors without the arguments. That is to say that I feel that
display_errors should default to Off, and exception_ignore_args should
default to On.
Having defaults which do not reveal arguments unless explicitly
configured to do so is a much safer option than just showing
everything.
I do agree that the framework's error handler should be properly
configured, but mistakes happen and it is better to fail in as safe a
way as possible. The reality is that a framework that is configuring
the error handling properly is also capable of calling
`ini_set('zend.exception_ignore_args', 0);` during its own
initialisation and being explicit about wanting to have that
information. Developers are also able to configure their PHP
environment with developer appropriate configuration.
Ultimately mistakes can, and do, happen. PHP should be configured with
safe defaults as standard.
