I'm using NGINX with PHP-FPM in seperated Docker containers. I want to get errors only to stderr, so that I can collect them on a centralized log-server. Problem is: I'm using WP and seems to have some not well written plugins. They work but cause warnings like this:
2017/06/17 01:16:08 [error] 7#7: *1 FastCGI sent in stderr: "PHP
message: PHP Warning: Parameter 1 to wp_default_scripts() expected to
be a reference, value given in /www/wp-includes/plugin.php on line 601
Example script for testing, which should give me a fatal error in the stderr:
<?php
not_existing_func();
PHP-FPM was configured to log errors to stderr like this:
[global]
log_level = error
error_log = /proc/self/fd/2
I'm wondering that this gave me nothing in the script above. Just after I switched the log_level to at least notice, I got the exception on the console of the docker container:
[17-Jun-2017 01:45:35] WARNING: [pool www] child 8 said into stderr:
"NOTICE: PHP message: PHP Fatal error: Uncaught Error: Call to
undefined function not_existing_func() in /www/x.php:2"
Why the hell is this a notice? For me we've clearly a fatal error here like the message indicates, cause the script can't continue (and we get a 500 error in the browser, of course). It can't be true that I have to set log_level to notice so that I don't miss fatal errors which are delcared as warnings. And simultaneously, my logs get filled with trash warnings from wordpress themes, plugins and so on, that I haven't developed and I don't want to fix for update reasons...
I tried a bit and found out that log_errors in php.ini is essential for PHP-FPM to get any information. But the log level from error_reporting seems wired too. For testing purpose, I used the following configuration:
display_errors = Off
log_errors = On
error_log = /proc/self/fd/2
;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
error_reporting = 0
Result: I got notices, but NO info about my fatal error...
First of all, I learned that I was wrong: Wordpress is the root cause for this issue, not PHP directly. It's a known fact that WP manipulates the error_reporting when debugging is enabled, so I tried to define WP_DEBUG as false in my config; BUT even having this set, the documentation says
[...]
Except for 'error_reporting', WordPress will set this to 4983 if WP_DEBUG is defined as false.
[...]
So my settings into php.ini were correct and sufficient. I don't even need the php-fpm settings, when errors are redirected to stdout in the php.ini file.
How to prevent WordPress from manipulating the error reporting?
This is not so easy, too. Although the WordPress documentation says, that the wp-config.php is a good place to set global wide settings like the error reporting, they got overwritten later to 4983. I don't know where; maybe it's not even the Core of Wordpress, but rather some poor developed plugin or theme.
We can handle this by adding error_reporting to the disabled functions:
disable_functions = error_reporting
Now it's not possible to overwrite our error_reporting. I think this is the best solution to make sure that we don't get any other error reporting by external influence from plugins or themes. Also in the future, since PHP allows such chaos, we need to reckon with such things.
Basically, we could criticize that this prevent us from getting more logs by setting WP_DEBUG to true, that's right, but as we're on a production system, it seems wrong for me to do troubleshooting in such a way there. We shouldn't do this on an application base, especially without display_errors! Instead, the workflow to find problems should be to look at the error logs.
Fatal errors should always be logged and checked on a regular basis. If that is not enough, error_reporting could be set on a higher level to get information about possible problems like warnings.
Related
I have a PHP REST API endpoint that throws an error:
PHP message: PHP Fatal error: Uncaught Exception: Accessing static property...as non static in...
with the default error_reporting value but returns a correct value if error_reporting is set to 1, which I believe is E_ERROR.
Doesn't error_reporting just control the logging? This seems to control whether the exception is thrown as well, allowing the code to continue as normal.
I come from a Java background, used to using Logback and similar logging frameworks. In these frameworks, the log level refers to a filter for the recipient of the logs, commonly a log file. A log level X means that messages need to be at least level X (or lower than, I forget which) to be logged, but it doesn't affect whether the exception is thrown to begin with.
I had assumed that this was the case with PHP's error_reporting, however, based on the above behavior I am not sure.
I've looked through the PHP docs, but I haven't found a detailed explanationof how error_reporting works
So, my question: What does "reporting" mean here? Does error_reporting control more besides which exceptions/errors are logged?
error_reporting is a bit different with the log level, the argument is a set of toggles for each error type.
For example error_reporting(E_ERROR) only reports errors and error_reporting(E_NOTICE) only reports notices and error_reporting(E_ERROR|E_NOTICE) reports both errors and notices but doesn't report warnings.
FYI the error level of this message "Accessing static property...as non static in..." is E_STRICT in PHP 5 and E_NOTICE in PHP 7 by default.
This is weired because you got an exception, I guess the problem that changes the behaviour of the error is in your error handler.
I am having an issue when I have a php application that is returning an internal server error (500) however nothing is showing up in the error log.
Now I know there are error with what I am trying to run, I know I have missing some files and what not but something should show in the apache error log (otherwise how are I supposed to know exactly what I am missing).
I created a test script is errors it in under the same vhost configuration and those error show up fine so everything seems configured right as far as php/apache. Are there certain php errors that does show up in the error log (php is configure to display any type of notice, warning, , error, fatal error, etc...)?
This is running on ubunut 10.04 with the standard apache and php from the ubuntu repo with apt-get.
Scan your source files to find #.
From php documentation site
Currently the "#" error-control operator prefix will even disable
error reporting for critical errors that will terminate script
execution. Among other things, this means that if you use "#" to
suppress errors from a certain function and either it isn't available
or has been mistyped, the script will die right there with no
indication as to why.
Copy and paste the following into a new .htaccess file and place it on your website's root folder :
php_flag display_errors on
php_flag display_startup_errors on
Errors will be shown directly in your page.
That's the best way to debug quickly but don't use it for long time because it could be a security breach.
If you still have 500 error and no logs you can try to execute from command line:
php -f file.php
it will not work exactly like in a browser (from server) but if there is syntax error in your code, you will see error message in console.
Maybe something turns off error output. (I understand that you are trying to say that other scripts properly output their errors to the errorlog?)
You could start debugging the script by determining where it exits the script (start by adding a echo 1; exit; to the first line of the script and checking whether the browser outputs 1 and then move that line down).
In the past, I had no error logs in two cases:
The user under which Apache was running had no permissions to modify php_error_log file.
Error 500 occurred because of bad configuration of .htaccess, for example wrong rewrite module settings. In this situation errors are logged to Apache error_log file.
For Symfony projects, be sure to check files in the project'es app/logs
More details available on this post :
How to debug 500 Error in Symfony 2
Btw, other frameworks or CMS share this kind of behaviour.
Here is another reason why errors might not be visible:
I had the same issue. In my case, I had copied the source from a production environment. Hence the ENVIRONMENT variable defined in index.php was set to 'production'. This caused error_reporting to be set to 0 (no logging). Just set it to 'development' and you should start seeing error messages in apache log.
Turned out the 500 was due to a semi colon missing in database config :-)
Another case which happened to me, is I did a CURL to some of my pages, and got internal server error and nothing was in the apache logs, even when I enabled all error reporting.
My problem was that in the CURL I set
curl_setopt($CR, CURLOPT_FAILONERROR, true);
Which then didn't show me my error, though there was one, this happened because the error was on a framework level and not a PHP one, so it didn't appear in the logs.
You need to enable the PHP error log.
This is due to some random glitch in the web server when you have a php error, it throws a 500 internal error (i have the same issue).
If you look in the PHP error log, you should find your solution.
see here in the doc of how to enable it in the php.ini
Be sure your file permissions are correct. If apache doesn't have permission to read the file then it can't write to the log.
What happened for me when this was an issue, was that the site had used too much memory, so I'm guessing that it couldn't write to an error log or displayed the error. For clarity, it was a Wordpress site that did this. Upping the memory limit on the server showed the site again.
SOLVED
I struggled with this and later on, I realized that I was working on PHP 5.6, so I upgraded to PHP 7.0, then I released there were comments placed by git for conflicting codes. I found something like this in my code <<<<<<<< But solved it.
I work on a localhost. I have php 5.4.4. I Just read on php.net that since version 5.4 onwards E_STRICT became part of E_ALL.
So, i see in my php.ini file this.
error_reporting = E_ALL
So, i assume, it is the strictest Error reporting mode. So, i make a mistake intentionally to see if this works.
I set $_SESSION key to begin with a numerical value in my code. No error is reported. The program simply runs incorrectly.
I have also set: display_errors = On
So, i assume any error shall be reported in my browser, when the script is run. But, nothing happens.
One of the Fellow, Stackoverflow.com Members, was checking my code and found out the error, because his browser reported the error. But, nothing happens in mine.
You probably have your PHP configured to not output errors to screen, rather logging them to a log file.
That is, you have display_errors set to false, and log_errors set to true .
That is the common configuration for production websites, not echoing errors to screen (which could reveal important info for an attacker) but writing them to the web server log.
I suggest you install a global error handler, and do some formatting there, to get a nice result:
set_error_handler( 'error_handler' );
function error_handler( $errno, $errmsg, $filename, $linenum, $vars )
{
// error was suppressed with the #-operator
if ( 0 === error_reporting() )
return false;
printf( "Unrecoverable error in `%s' line %s: %s\n\n", $filename, $linenum, $errmsg );
exit( $errno );
}
The problem is a bit hard to track. If you want to see the actual error message with display errors, you have to keep the following in mind:
The display_errors directive works only as long as there is some display it could output to.
Normally the session is saved on disk at a time when your script has already finished and there is no output associated any longer to it.
Therefore you can not make the following notice visible with that setting:
Notice: Unknown: Skipping numeric key 0 in Unknown on line 0
The in Unknown on line 0 is a sign that this is not the normal PHP code. It's just when the PHP engine shuts down and saves the session data.
So you can never get this error message onto your display unless:
You track the error log or use the CLI environment which still has an output in shutdown phase (STDOUT)
You use session_write_close() to write the session while your script still runs:
Notice: session_write_close(): Skipping numeric key 0 in ... on line 12
Hope this helps and clarifies it fully.
I am having an issue when I have a php application that is returning an internal server error (500) however nothing is showing up in the error log.
Now I know there are error with what I am trying to run, I know I have missing some files and what not but something should show in the apache error log (otherwise how are I supposed to know exactly what I am missing).
I created a test script is errors it in under the same vhost configuration and those error show up fine so everything seems configured right as far as php/apache. Are there certain php errors that does show up in the error log (php is configure to display any type of notice, warning, , error, fatal error, etc...)?
This is running on ubunut 10.04 with the standard apache and php from the ubuntu repo with apt-get.
Scan your source files to find #.
From php documentation site
Currently the "#" error-control operator prefix will even disable
error reporting for critical errors that will terminate script
execution. Among other things, this means that if you use "#" to
suppress errors from a certain function and either it isn't available
or has been mistyped, the script will die right there with no
indication as to why.
Copy and paste the following into a new .htaccess file and place it on your website's root folder :
php_flag display_errors on
php_flag display_startup_errors on
Errors will be shown directly in your page.
That's the best way to debug quickly but don't use it for long time because it could be a security breach.
If you still have 500 error and no logs you can try to execute from command line:
php -f file.php
it will not work exactly like in a browser (from server) but if there is syntax error in your code, you will see error message in console.
Maybe something turns off error output. (I understand that you are trying to say that other scripts properly output their errors to the errorlog?)
You could start debugging the script by determining where it exits the script (start by adding a echo 1; exit; to the first line of the script and checking whether the browser outputs 1 and then move that line down).
In the past, I had no error logs in two cases:
The user under which Apache was running had no permissions to modify php_error_log file.
Error 500 occurred because of bad configuration of .htaccess, for example wrong rewrite module settings. In this situation errors are logged to Apache error_log file.
For Symfony projects, be sure to check files in the project'es app/logs
More details available on this post :
How to debug 500 Error in Symfony 2
Btw, other frameworks or CMS share this kind of behaviour.
Here is another reason why errors might not be visible:
I had the same issue. In my case, I had copied the source from a production environment. Hence the ENVIRONMENT variable defined in index.php was set to 'production'. This caused error_reporting to be set to 0 (no logging). Just set it to 'development' and you should start seeing error messages in apache log.
Turned out the 500 was due to a semi colon missing in database config :-)
Another case which happened to me, is I did a CURL to some of my pages, and got internal server error and nothing was in the apache logs, even when I enabled all error reporting.
My problem was that in the CURL I set
curl_setopt($CR, CURLOPT_FAILONERROR, true);
Which then didn't show me my error, though there was one, this happened because the error was on a framework level and not a PHP one, so it didn't appear in the logs.
You need to enable the PHP error log.
This is due to some random glitch in the web server when you have a php error, it throws a 500 internal error (i have the same issue).
If you look in the PHP error log, you should find your solution.
see here in the doc of how to enable it in the php.ini
Be sure your file permissions are correct. If apache doesn't have permission to read the file then it can't write to the log.
What happened for me when this was an issue, was that the site had used too much memory, so I'm guessing that it couldn't write to an error log or displayed the error. For clarity, it was a Wordpress site that did this. Upping the memory limit on the server showed the site again.
SOLVED
I struggled with this and later on, I realized that I was working on PHP 5.6, so I upgraded to PHP 7.0, then I released there were comments placed by git for conflicting codes. I found something like this in my code <<<<<<<< But solved it.
Can I hide the path in php error using .htaccess
Example:
Notice: Undefined variable: hello in C:\xampp\htdocs\mysite\index.php on line 3
I want to hide the path using .htaccess or print something let me know if there is an error without print the path of the page:
Notice: Undefined variable: hello on line 3
or
Notice: Undefined variable: hello
or
There is error in your page
Edit :
I put this lines in my .htaccess
But I can't access to my site. There is error "Internal Server Error"
How Can I fix that
# supress php errors
php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off
php_value docref_root 0
php_value docref_ext 0
PHP’s error messages are not meant for users but for developers only.
So for a production environment, you should disable display_errors to avoid information disclosure:
Note: [display_errors] is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).
Instead, you should show generic error messages to your users that do not unveil anything of the internals and only log the error messages (see log_errors and error_log):
Note: You're strongly advised to use error logging in place of error displaying on production web sites.
And if you really want to modify PHP’s error messages, you can use set_error_handler to set a custom error handler.
See also OWASP’s Development Guide on “Error Handling, Auditing and Logging” for further information.
You cannot change the messages : those are generated by PHP, and that's the way they are.
But you can prevent them from being displayed to your website's users -- and still log them, for your own usage.
For that, see :
display_errors : to prevent errors from being displayed to the page's output
log_errors : to indicate that errors should be logged to a file
error_log : to specify to which file errors will be logged to.
Of course, that doesn't prevent you from fixing as many causes of notices / warnings / errors as possible ;-)
Get rid of all that useless stuff.
php_flag display_errors 0
alone will be enough.
If error persists, check server's error_log for the error message