Hey Lester, hey All Am 13.06.19 um 10:36 schrieb Lester Caine: > On 13/06/2019 08:55, Andreas Heigl wrote: >>> display_errors=Off in production. > > Which give a white screen ... fine for security but useless for people > using the site! > >> While that makes absolute sense perhaps thinking whether there is a way >> to mark password-parameters in core-functions and hide them in >> Stack-traces might improve security as that would also hide >> user-provided credentials in log-files. >> That would not target userland methods/functions. Though having a >> Core-Value-object for credentials might even allow*that* > > Sanitising things would be a nice to have especially where log files are > on 'cloud' storage, but the ability to give an end user some indication > that there is a problem WHILE display_errors=Off would be helpful? I > know the white screen problem has been discussed many time over the > years ... > > Personally I STILL use display_errors=on and just make sure that > sensitive information is not displayed in the stack. Most of the time it > IS just the warnings one gets and clients can report them and see they > are cleared ... so some sort of middle ground between off and on would > be helpful?
If you're so keen on providing the user something to see without having to use display_errors=on: Have you had a look at https://php.net/register_shutdown_function ? You can always use that to figure out whether there was a fatal error and then display something nice to the user. No leaked stacktrace, no leaked credentials, user is informed, everyone is happy :-) Cheers Andreas -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+
signature.asc
Description: OpenPGP digital signature
