Hi Johannes, as far as I understood the issue, this error would be triggered before the application's code is executed, so that would not solve this issue.
Cheers
Jannik
Am 04.01.2012 um 21:46 schrieb Johannes Schlüter:
> On Wed, 2012-01-04 at 12:29 -0800, Stas Malyshev wrote:
>> Hi!
>>
>>> But there is a very valid security concern here. People can usually run
>>> safely with display_errors enabled if their code is well-written. They
>>
>> Oh no. Nobody should or can safely run production with display_errors.
>> Everybody thinks their code is well-written, but display_errors should
>> never be enabled in production, however high is your opinion of the code.
>> I'm afraid people now will start quoting this saying "ok, yeah, if
>> you're a bad programmer, disable display_errors, but I'm a good
>> programmer, my code is solid, I even have a dozen of unit tests, so I
>> just go ahead and enable display_errors" and then we have this sad state
>> of affairs where sites spill out error messages that are never supposed
>> to be seen by clients because developers thought it can never happen.
>
> On shared hosts display_errors typically is on, but the application can
> do ini_set('display_errors', 0) or such ...
>
> johannes
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
signature.asc
Description: Message signed with OpenPGP using GPGMail
