On 13/06/2019 08:55, Andreas Heigl wrote:
display_errors=Off in production.
Which give a white screen ... fine for security but useless for people using the site!
While that makes absolute sense perhaps thinking whether there is a way to mark password-parameters in core-functions and hide them in Stack-traces might improve security as that would also hide user-provided credentials in log-files. That would not target userland methods/functions. Though having a Core-Value-object for credentials might even allow*that*
Sanitising things would be a nice to have especially where log files are on 'cloud' storage, but the ability to give an end user some indication that there is a problem WHILE display_errors=Off would be helpful? I know the white screen problem has been discussed many time over the years ...
Personally I STILL use display_errors=on and just make sure that sensitive information is not displayed in the stack. Most of the time it IS just the warnings one gets and clients can report them and see they are cleared ... so some sort of middle ground between off and on would be helpful?
-- Lester Caine - G8HFL ----------------------------- Contact - https://lsces.uk/wiki/Contact L.S.Caine Electronic Services - https://lsces.uk Model Engineers Digital Workshop - https://medw.uk Rainbow Digital Media - https://rainbowdigitalmedia.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
