Ignore warning and carry on - php

I am running a script where a url parameter is increasing by 1. Every so often, I get the error message below and the script comes to a halt:
Warning: file_get_contents(https://example.com?id=431): failed to open
stream: HTTP request failed! HTTP/1.1 429 Please retry after few
minutes
$i = 1;
while($file = file_get_contents('https://example.com?id='.$i)) {
echo ''.$i.'</br>';
$i++
}
While I know I can use error_reporting(0); to stop the warnings from appearing, my question is as follows: will the script continue running after the hidden warning?

You can, of course, disable error reporting as others have suggested. However, there are two MUCH better solutions.
First, you could use set_error_handler to create a function which converts errors into exceptions (code in Example 1 here: http://php.net/manual/en/class.errorexception.php). Then, you can simply use a try and catch to check to see if an exception has occurred, and handle it appropriately. See here: http://php.net/manual/en/internals2.opcodes.catch.php
Another solution would be to use PHP's cURL library (http://php.net/manual/en/book.curl.php). cURL will let you check if an error has occurred when you make an HTTP request, and you can respond appropriately.
To be clear, since it seems to be OP's only concern: both of these solutions will allow the script to continue running after an error has occurred. They also have the added benefit of allowing OP to create code that makes a predetermined programmatic response to errors rather than just blindly ignoring any and all errors with unknown results (and no indication that they even happened).
Finally, a note that's applicable to this particular situation: HTTP 429 is "too many requests," which makes sense given that OP is placing these requests one after another with no delay. Sleeping (http://php.net/manual/en/function.sleep.php) between HTTP requests would likely eliminate the problem entirely.

This is not something you should use in prod, but try:
error_reporting(E_ERROR | E_PARSE);
I think it is better to check if the file is reachable before trying to read it.

Replace the condition, e.g.:
while($i < 100)

You can try this:
error_reporting(0);
Put this at the top of script

Put this at the top of the script to avoid the warnings and notices.
error_reporting(E_ERROR);
This will still show Fatal run-time errors. These indicate errors that
can not be recovered from, such as a memory allocation problem.
Execution of the script is halted.
To turn of all the errors and warning,
error_reporting(0);

Related

What exactly does the # symbol in front of new mean? [duplicate]

In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
If so, in what circumstances would you use this?
Code examples are welcome.
Edit: Note to repliers. I'm not looking to turn error reporting off, but, for example, common practice is to use
#fopen($file);
and then check afterwards... but you can get rid of the # by doing
if (file_exists($file))
{
fopen($file);
}
else
{
die('File not found');
}
or similar.
I guess the question is - is there anywhere that # HAS to be used to supress an error, that CANNOT be handled in any other manner?
Note: Firstly, I realise 99% of PHP developers use the error suppression operator (I used to be one of them), so I'm expecting any PHP dev who sees this to disagree.
In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
Short answer:
No!
Longer more correct answer:
I don't know as I don't know everything, but so far I haven't come across a situation where it was a good solution.
Why it's bad:
In what I think is about 7 years using PHP now I've seen endless debugging agony caused by the error suppression operator and have never come across a situation where it was unavoidable.
The problem is that the piece of code you are suppressing errors for, may currently only cause the error you are seeing; however when you change the code which the suppressed line relies on, or the environment in which it runs, then there is every chance that the line will attempt to output a completely different error from the one you were trying to ignore. Then how do you track down an error that isn't outputting? Welcome to debugging hell!
It took me many years to realise how much time I was wasting every couple of months because of suppressed errors. Most often (but not exclusively) this was after installing a third party script/app/library which was error free in the developers environment, but not mine because of a php or server configuration difference or missing dependency which would have normally output an error immediately alerting to what the issue was, but not when the dev adds the magic #.
The alternatives (depending on situation and desired result):
Handle the actual error that you are aware of, so that if a piece of code is going to cause a certain error then it isn't run in that particular situation. But I think you get this part and you were just worried about end users seeing errors, which is what I will now address.
For regular errors you can set up an error handler so that they are output in the way you wish when it's you viewing the page, but hidden from end users and logged so that you know what errors your users are triggering.
For fatal errors set display_errors to off (your error handler still gets triggered) in your php.ini and enable error logging. If you have a development server as well as a live server (which I recommend) then this step isn't necessary on your development server, so you can still debug these fatal errors without having to resort to looking at the error log file. There's even a trick using the shutdown function to send a great deal of fatal errors to your error handler.
In summary:
Please avoid it. There may be a good reason for it, but I'm yet to see one, so until that day it's my opinion that the (#) Error suppression operator is evil.
You can read my comment on the Error Control Operators page in the PHP manual if you want more info.
I would suppress the error and handle it. Otherwise you may have a TOCTOU issue (Time-of-check, time-of-use. For example a file may get deleted after file_exists returns true, but before fopen).
But I wouldn't just suppress errors to make them go away. These better be visible.
Yes suppression makes sense.
For example, the fopen() command returns FALSE if the file cannot be opened. That's fine, but it also produces a PHP warning message. Often you don't want the warning -- you'll check for FALSE yourself.
In fact the PHP manual specifically suggests using # in this case!
If you don't want a warning thrown when using functions like fopen(), you can suppress the error but use exceptions:
try {
if (($fp = #fopen($filename, "r")) == false) {
throw new Exception;
} else {
do_file_stuff();
}
} catch (Exception $e) {
handle_exception();
}
Error suppression should be avoided unless you know you can handle all the conditions.
This may be much harder than it looks at first.
What you really should do is rely on php's "error_log" to be your reporting method, as you cannot rely on users viewing pages to report errors. ( And you should also disable php from displaying these errors )
Then at least you'll have a comprehensive report of all things going wrong in the system.
If you really must handle the errors, you can create a custom error handler
http://php.net/set-error-handler
Then you could possibly send exceptions ( which can be handled ) and do anything needed to report weird errors to administration.
I NEVER allow myself to use '#'... period.
When I discover usage of '#' in code, I add comments to make it glaringly apparent, both at the point of usage, and in the docblock around the function where it is used. I too have been bitten by "chasing a ghost" debugging due to this kind of error suppression, and I hope to make it easier on the next person by highlighting its usage when I find it.
In cases where I'm wanting my own code to throw an Exception if a native PHP function encounters an error, and '#' seems to be the easy way to go, I instead choose to do something else that gets the same result but is (again) glaringly apparent in the code:
$orig = error_reporting(); // capture original error level
error_reporting(0); // suppress all errors
$result = native_func(); // native_func() is expected to return FALSE when it errors
error_reporting($orig); // restore error reporting to its original level
if (false === $result) { throw new Exception('native_func() failed'); }
That's a lot more code that just writing:
$result = #native_func();
but I prefer to make my suppression need VERY OBVIOUS, for the sake of the poor debugging soul that follows me.
Most people do not understand the meaning of error message.
No kidding. Most of them.
They think that error messages are all the same, says "Something goes wrong!"
They don't bother to read it.
While it's most important part of error message - not just the fact it has been raised, but it's meaning. It can tell you what is going wrong. Error messages are for help, not for bothering you with "how to hide it?" problem. That's one of the biggest misunderstandings in the newbie web-programming world.
Thus, instead of gagging error message, one should read what it says. It has not only one "file not found" value. There can be thousands different errors: permission denied, save mode restriction, open_basedir restriction etc.etc. Each one require appropriate action. But if you gag it you'll never know what happened!
The OP is messing up error reporting with error handling, while it's very big difference!
Error handling is for user. "something happened" is enough here.
While error reporting is for programmer, who desperately need to know what certainly happened.
Thus, never gag errors messages. Both log it for the programmer, and handle it for the user.
is there not a way to suppress from the php.ini warnings and errors? in that case you can debug only changing a flag and not trying to discovering which # is hiding the problem.
Using # is sometimes counter productive. In my experience, you should always turn error reporting off in the php.ini or call
error_reporting(0);
on a production site. This way when you are in development you can just comment out the line and keep errors visible for debugging.
One place I use it is in socket code, for example, if you have a timeout set you'll get a warning on this if you don't include #, even though it's valid to not get a packet.
$data_len = #socket_recvfrom( $sock, $buffer, 512, 0, $remote_host, $remote_port )
The only place where I really needed to use it is the eval function. The problem with eval is that, when string cannot be parsed due to syntax error, eval does not return false, but rather throws an error, just like having a parse error in the regular script. In order to check whether the script stored in the string is parseable you can use something like:
$script_ok = #eval('return true; '.$script);
AFAIK, this is the most elegant way to do this.
Some functions in PHP will issue an E_NOTICE (the unserialize function for example).
A possible way to catch that error (for PHP versions 7+) is to convert all issued errors into exceptions and not let it issue an E_NOTICE. We could change the exception error handler as follow:
function exception_error_handler($severity, $message, $file, $line) {
throw new ErrorException($message, 0, $severity, $file, $line);
}
set_error_handler('exception_error_handler');
try {
unserialize('foo');
} catch(\Exception $e) {
// ... will throw the exception here
}
Today I encountered an issue that was a good example on when one might want to use at least temporarily the # operator.
Long story made short, I found logon info (username and password in plain text) written into the error log trace.
Here a bit more info about this issue.
The logon logic is in a class of it's own, because the system is supposed to offer different logon mechanisms. Due to server migration issues there was an error occurring. That error dumped the entire trace into the error log, including password info! One method expected the username and password as parameters, hence trace wrote everything faithfully into the error log.
The long term fix here is to refactor said class, instead of using username and password as 2 parameters, for example using a single array parameter containing those 2 values (trace will write out Array for the paramater in such cases). There are also other ways of tackling this issue, but that is an entire different issue.
Anyways. Trace messages are helpful, but in this case were outright harmful.
The lesson I learned, as soon as I noticed that trace output: Sometimes suppressing an error message for the time being is an useful stop gap measure to avoid further harm.
In my opinion I didn't think it is a case of bad class design. The error itself was triggered by an PDOException ( timestamp issue moving from MySQL 5.6 to 5.7 ) that just dumped by PHP default everything into the error log.
In general I do not use the # operator for all the reasons explained in other comments, but in this case the error log convinced me to do something quick until the problem was properly fixed.
You do not want to suppress everything, since it slows down your script.
And yes there is a way both in php.ini and within your script to remove errors (but only do this when you are in a live environment and log your errors from php)
<?php
error_reporting(0);
?>
And you can read this for the php.ini version of turning it off.
I have what I think is a valid use-case for error suppression using #.
I have two systems, one running PHP 5.6.something and another running PHP 7.3.something. I want a script which will run properly on both of them, but some stuff didn't exist back in PHP 5.6, so I'm using polyfills like random_compat.
It's always best to use the built-in functions, so I have code that looks like this:
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else {
#include "random_compat/random.php"; // Suppress warnings+errors
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else if(function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes(4);
} else {
// Boooo! We have to generate crappy randomness
$bytes = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',64)),0,32);
}
}
The fallback to the polyfill should never generate any errors or warnings. I'm checking to see that the function exists after attempting to load the polyfill which is all that is necessary. There is even a fallback to the fallback. And a fallback to the fallback to the fallback.
There is no way to avoid a potential error with include (e.g. using file_exists) so the only way to do it is to suppress warnings and check to see if it worked. At least, in this case.
I can think of one case of use, for auto-increment a non existing array key.
<?php
$totalCars = [];
// suppressing error to avoid a getting a warning error
#$totalCars['toyota']++;
var_export($totalCars);
// array (
// 'toyota' => 1,
// )
// not suppressing error will throw a warning
// but still allows to increase the non-existing key value
$totalCars['ford']++;
var_export($totalCars);
// Warning: Undefined array key "ford"
// array (
// 'toyota' => 1,
// 'ford' => 1,
// )
See this example output here: https://onlinephp.io/c/433f0
If you are using a custom error handling function and wanna suppress an error (probably a known error), use this method. The use of '#' is not a good idea in this context as it will not suppress error if error handler is set.
Write 3 functions and call like this.
# supress error for this statement
supress_error_start();
$mail_sent = mail($EmailTo, $Subject, $message,$headers);
supress_error_end(); #Don't forgot to call this to restore error.
function supress_error_start(){
set_error_handler('nothing');
error_reporting(0);
}
function supress_error_end(){
set_error_handler('my_err_handler');
error_reporting('Set this to a value of your choice');
}
function nothing(){ #Empty function
}
function my_err_handler('arguments will come here'){
//Your own error handling routines will come here
}
In my experience I would say generally speaking, error suppress is just another bad practice for future developers and should be avoided as much as possible as it hides complication of error and prevent error logging unlike Exception which can help developers with error snapshot. But answering the original question which say "If so, in what circumstances would you use this?".
I would say one should use it against some legacy codes or library that don't throw exception errors but instead handles bad errors by keep the error variables with it's object(speaking of OOP) or using a global variable for logging error or just printing error all together.
Take for example the mysqli object
new mysqli($this->host, $this->username, $this->password, $this->db);
This code above barely or never throw an exception on failed connection, it only store error in mysqli::errno and mysli::error
For modern day coding the one solution I found was to suppress the ugly error messages (which helps no one especially when on production server where debug mode is off) and instead devs should throw their own exception. Which is consider modern practice and help coders track errors more quickly.
$this->connection = #new mysqli($this->host, $this->username, $this->password, $this->db);
if($this->connection->connect_errno)
throw new mysqli_sql_exception($this->connection->error);
You can notice the use of suppression # symbol to prevent the ugly error display should incase error display was turned on development server.
Also I had to throw my own exception. This way I was able to use # symbol and same time I didn't hide error nor did I just make my own guess of what the error could be.
I will say if used rightly, then it is justifiable.
I use it when trying to load an HTML file for processing as a DOMDocument object. If there are any problems in the HTML... and what website doesn't have at least one... DOMDocument->loadHTMLFile() will throw an error if you don't suppress it with #. This is the only way (perhaps there are better ones) I've ever been successful in creating HTML scrapers in PHP.

When would you use '#' expression to mute PHP error messages, rather than just debugging the issue? [duplicate]

In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
If so, in what circumstances would you use this?
Code examples are welcome.
Edit: Note to repliers. I'm not looking to turn error reporting off, but, for example, common practice is to use
#fopen($file);
and then check afterwards... but you can get rid of the # by doing
if (file_exists($file))
{
fopen($file);
}
else
{
die('File not found');
}
or similar.
I guess the question is - is there anywhere that # HAS to be used to supress an error, that CANNOT be handled in any other manner?
Note: Firstly, I realise 99% of PHP developers use the error suppression operator (I used to be one of them), so I'm expecting any PHP dev who sees this to disagree.
In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
Short answer:
No!
Longer more correct answer:
I don't know as I don't know everything, but so far I haven't come across a situation where it was a good solution.
Why it's bad:
In what I think is about 7 years using PHP now I've seen endless debugging agony caused by the error suppression operator and have never come across a situation where it was unavoidable.
The problem is that the piece of code you are suppressing errors for, may currently only cause the error you are seeing; however when you change the code which the suppressed line relies on, or the environment in which it runs, then there is every chance that the line will attempt to output a completely different error from the one you were trying to ignore. Then how do you track down an error that isn't outputting? Welcome to debugging hell!
It took me many years to realise how much time I was wasting every couple of months because of suppressed errors. Most often (but not exclusively) this was after installing a third party script/app/library which was error free in the developers environment, but not mine because of a php or server configuration difference or missing dependency which would have normally output an error immediately alerting to what the issue was, but not when the dev adds the magic #.
The alternatives (depending on situation and desired result):
Handle the actual error that you are aware of, so that if a piece of code is going to cause a certain error then it isn't run in that particular situation. But I think you get this part and you were just worried about end users seeing errors, which is what I will now address.
For regular errors you can set up an error handler so that they are output in the way you wish when it's you viewing the page, but hidden from end users and logged so that you know what errors your users are triggering.
For fatal errors set display_errors to off (your error handler still gets triggered) in your php.ini and enable error logging. If you have a development server as well as a live server (which I recommend) then this step isn't necessary on your development server, so you can still debug these fatal errors without having to resort to looking at the error log file. There's even a trick using the shutdown function to send a great deal of fatal errors to your error handler.
In summary:
Please avoid it. There may be a good reason for it, but I'm yet to see one, so until that day it's my opinion that the (#) Error suppression operator is evil.
You can read my comment on the Error Control Operators page in the PHP manual if you want more info.
I would suppress the error and handle it. Otherwise you may have a TOCTOU issue (Time-of-check, time-of-use. For example a file may get deleted after file_exists returns true, but before fopen).
But I wouldn't just suppress errors to make them go away. These better be visible.
Yes suppression makes sense.
For example, the fopen() command returns FALSE if the file cannot be opened. That's fine, but it also produces a PHP warning message. Often you don't want the warning -- you'll check for FALSE yourself.
In fact the PHP manual specifically suggests using # in this case!
If you don't want a warning thrown when using functions like fopen(), you can suppress the error but use exceptions:
try {
if (($fp = #fopen($filename, "r")) == false) {
throw new Exception;
} else {
do_file_stuff();
}
} catch (Exception $e) {
handle_exception();
}
Error suppression should be avoided unless you know you can handle all the conditions.
This may be much harder than it looks at first.
What you really should do is rely on php's "error_log" to be your reporting method, as you cannot rely on users viewing pages to report errors. ( And you should also disable php from displaying these errors )
Then at least you'll have a comprehensive report of all things going wrong in the system.
If you really must handle the errors, you can create a custom error handler
http://php.net/set-error-handler
Then you could possibly send exceptions ( which can be handled ) and do anything needed to report weird errors to administration.
I NEVER allow myself to use '#'... period.
When I discover usage of '#' in code, I add comments to make it glaringly apparent, both at the point of usage, and in the docblock around the function where it is used. I too have been bitten by "chasing a ghost" debugging due to this kind of error suppression, and I hope to make it easier on the next person by highlighting its usage when I find it.
In cases where I'm wanting my own code to throw an Exception if a native PHP function encounters an error, and '#' seems to be the easy way to go, I instead choose to do something else that gets the same result but is (again) glaringly apparent in the code:
$orig = error_reporting(); // capture original error level
error_reporting(0); // suppress all errors
$result = native_func(); // native_func() is expected to return FALSE when it errors
error_reporting($orig); // restore error reporting to its original level
if (false === $result) { throw new Exception('native_func() failed'); }
That's a lot more code that just writing:
$result = #native_func();
but I prefer to make my suppression need VERY OBVIOUS, for the sake of the poor debugging soul that follows me.
Most people do not understand the meaning of error message.
No kidding. Most of them.
They think that error messages are all the same, says "Something goes wrong!"
They don't bother to read it.
While it's most important part of error message - not just the fact it has been raised, but it's meaning. It can tell you what is going wrong. Error messages are for help, not for bothering you with "how to hide it?" problem. That's one of the biggest misunderstandings in the newbie web-programming world.
Thus, instead of gagging error message, one should read what it says. It has not only one "file not found" value. There can be thousands different errors: permission denied, save mode restriction, open_basedir restriction etc.etc. Each one require appropriate action. But if you gag it you'll never know what happened!
The OP is messing up error reporting with error handling, while it's very big difference!
Error handling is for user. "something happened" is enough here.
While error reporting is for programmer, who desperately need to know what certainly happened.
Thus, never gag errors messages. Both log it for the programmer, and handle it for the user.
is there not a way to suppress from the php.ini warnings and errors? in that case you can debug only changing a flag and not trying to discovering which # is hiding the problem.
Using # is sometimes counter productive. In my experience, you should always turn error reporting off in the php.ini or call
error_reporting(0);
on a production site. This way when you are in development you can just comment out the line and keep errors visible for debugging.
One place I use it is in socket code, for example, if you have a timeout set you'll get a warning on this if you don't include #, even though it's valid to not get a packet.
$data_len = #socket_recvfrom( $sock, $buffer, 512, 0, $remote_host, $remote_port )
The only place where I really needed to use it is the eval function. The problem with eval is that, when string cannot be parsed due to syntax error, eval does not return false, but rather throws an error, just like having a parse error in the regular script. In order to check whether the script stored in the string is parseable you can use something like:
$script_ok = #eval('return true; '.$script);
AFAIK, this is the most elegant way to do this.
Some functions in PHP will issue an E_NOTICE (the unserialize function for example).
A possible way to catch that error (for PHP versions 7+) is to convert all issued errors into exceptions and not let it issue an E_NOTICE. We could change the exception error handler as follow:
function exception_error_handler($severity, $message, $file, $line) {
throw new ErrorException($message, 0, $severity, $file, $line);
}
set_error_handler('exception_error_handler');
try {
unserialize('foo');
} catch(\Exception $e) {
// ... will throw the exception here
}
Today I encountered an issue that was a good example on when one might want to use at least temporarily the # operator.
Long story made short, I found logon info (username and password in plain text) written into the error log trace.
Here a bit more info about this issue.
The logon logic is in a class of it's own, because the system is supposed to offer different logon mechanisms. Due to server migration issues there was an error occurring. That error dumped the entire trace into the error log, including password info! One method expected the username and password as parameters, hence trace wrote everything faithfully into the error log.
The long term fix here is to refactor said class, instead of using username and password as 2 parameters, for example using a single array parameter containing those 2 values (trace will write out Array for the paramater in such cases). There are also other ways of tackling this issue, but that is an entire different issue.
Anyways. Trace messages are helpful, but in this case were outright harmful.
The lesson I learned, as soon as I noticed that trace output: Sometimes suppressing an error message for the time being is an useful stop gap measure to avoid further harm.
In my opinion I didn't think it is a case of bad class design. The error itself was triggered by an PDOException ( timestamp issue moving from MySQL 5.6 to 5.7 ) that just dumped by PHP default everything into the error log.
In general I do not use the # operator for all the reasons explained in other comments, but in this case the error log convinced me to do something quick until the problem was properly fixed.
You do not want to suppress everything, since it slows down your script.
And yes there is a way both in php.ini and within your script to remove errors (but only do this when you are in a live environment and log your errors from php)
<?php
error_reporting(0);
?>
And you can read this for the php.ini version of turning it off.
I have what I think is a valid use-case for error suppression using #.
I have two systems, one running PHP 5.6.something and another running PHP 7.3.something. I want a script which will run properly on both of them, but some stuff didn't exist back in PHP 5.6, so I'm using polyfills like random_compat.
It's always best to use the built-in functions, so I have code that looks like this:
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else {
#include "random_compat/random.php"; // Suppress warnings+errors
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else if(function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes(4);
} else {
// Boooo! We have to generate crappy randomness
$bytes = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',64)),0,32);
}
}
The fallback to the polyfill should never generate any errors or warnings. I'm checking to see that the function exists after attempting to load the polyfill which is all that is necessary. There is even a fallback to the fallback. And a fallback to the fallback to the fallback.
There is no way to avoid a potential error with include (e.g. using file_exists) so the only way to do it is to suppress warnings and check to see if it worked. At least, in this case.
I can think of one case of use, for auto-increment a non existing array key.
<?php
$totalCars = [];
// suppressing error to avoid a getting a warning error
#$totalCars['toyota']++;
var_export($totalCars);
// array (
// 'toyota' => 1,
// )
// not suppressing error will throw a warning
// but still allows to increase the non-existing key value
$totalCars['ford']++;
var_export($totalCars);
// Warning: Undefined array key "ford"
// array (
// 'toyota' => 1,
// 'ford' => 1,
// )
See this example output here: https://onlinephp.io/c/433f0
If you are using a custom error handling function and wanna suppress an error (probably a known error), use this method. The use of '#' is not a good idea in this context as it will not suppress error if error handler is set.
Write 3 functions and call like this.
# supress error for this statement
supress_error_start();
$mail_sent = mail($EmailTo, $Subject, $message,$headers);
supress_error_end(); #Don't forgot to call this to restore error.
function supress_error_start(){
set_error_handler('nothing');
error_reporting(0);
}
function supress_error_end(){
set_error_handler('my_err_handler');
error_reporting('Set this to a value of your choice');
}
function nothing(){ #Empty function
}
function my_err_handler('arguments will come here'){
//Your own error handling routines will come here
}
In my experience I would say generally speaking, error suppress is just another bad practice for future developers and should be avoided as much as possible as it hides complication of error and prevent error logging unlike Exception which can help developers with error snapshot. But answering the original question which say "If so, in what circumstances would you use this?".
I would say one should use it against some legacy codes or library that don't throw exception errors but instead handles bad errors by keep the error variables with it's object(speaking of OOP) or using a global variable for logging error or just printing error all together.
Take for example the mysqli object
new mysqli($this->host, $this->username, $this->password, $this->db);
This code above barely or never throw an exception on failed connection, it only store error in mysqli::errno and mysli::error
For modern day coding the one solution I found was to suppress the ugly error messages (which helps no one especially when on production server where debug mode is off) and instead devs should throw their own exception. Which is consider modern practice and help coders track errors more quickly.
$this->connection = #new mysqli($this->host, $this->username, $this->password, $this->db);
if($this->connection->connect_errno)
throw new mysqli_sql_exception($this->connection->error);
You can notice the use of suppression # symbol to prevent the ugly error display should incase error display was turned on development server.
Also I had to throw my own exception. This way I was able to use # symbol and same time I didn't hide error nor did I just make my own guess of what the error could be.
I will say if used rightly, then it is justifiable.
I use it when trying to load an HTML file for processing as a DOMDocument object. If there are any problems in the HTML... and what website doesn't have at least one... DOMDocument->loadHTMLFile() will throw an error if you don't suppress it with #. This is the only way (perhaps there are better ones) I've ever been successful in creating HTML scrapers in PHP.

PHP custom error page

Everyone says that "Enabling errors to be shown" in an active site is bad (due to some security issues).
Now, we have to consider 2 cases:
The site is in debug mode
The site is not in debug mode
Now, for case #1:
We want to see the errors. How?
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 1);
Nothing more simple. Also we can customize an error handler for all errors except Parse and Fatal.
Instead, if the case is #2:
We would like to be able to deactivate the messages:
ini_set('error_reporting', 0);
ini_set('display_errors', 0);
And it's ok. But what about showing users a friendly message such as "Hei man, something is really f**ked up. I don't assure you we are working to fix it, since we are very lazy.".
You should enable errors again and just use the function set_error_handler() and hope that no parse or fatal errors occur. But my first question is:
Question 1: Is that possible to avoid error reporting and have a custom offline page that is loaded when something goes wrong? I mean, is it possible to have ini_set('error_reporting', 0); and ini_set('display_errors', 0); and still be able to tell PHP to load a custom Error page?
And now another:
Question 2: I developed a class that with the power of set_error_handler() logs errors occurred into the database. In this way I can keep track of hack attempts and other cool stuff. (And yes, i'm always sure the DB is accessible since my application shuts down if we cannot connect to the DB). Is this worth something?
Some time ago I created small system that redirects you to error page when fatal error occurs / uncaught exception was thrown. It was possible with assumption, that every request is handled by one file and ends in this file, so by reaching end of this file I'm sure that everything went OK. With this condition I've set up function to redirect on error page and registered it as shutdown function - so it will be called at the end of all requests. Now in this function I check conditions for clean shutdown and if hey are met, I do nothing and output is flushed to the browser, otherwise buffer is cleaned and only header redirecting to error page is sent.
Simplified version of this code:
<?php
function redirect_on_error(){
if(!defined('EVERYTHING_WENT_OK')){
ob_end_clean();
header('Location: error.html');
}
}
register_shutdown_function('redirect_on_error');
ob_start();
include 'some/working/code.php';
echo "Now I'm going to call undefined function or throw something bad";
undefined_function();
throw new Exception('In case undefined function is defined.');
define('EVERYTHING_WENT_OK', TRUE);
exit;
Question 1: Is that possible to avoid error reporting and have a custom offline page that is loaded when something goes wrong?
Unfortunately, I don't think so, at least for fatal errors. However, recent versions of PHP always send a 500 response when that occurs, so, depending on webserver, you may be able to rewrite the response if such thing happens. If your actual server running PHP is behind a reverse proxy, this becomes trivial with Apache.
Question 2: I developed a class that with the power of set_error_handler() logs errors occurred into the database.
Sure, it's always good to log the errors. You already seem to be aware of the limitations of logging errors into the database.

PHP turn off errors - in one file only

I am well aware about error_reporting(0); & ini_set('display_errors', "Off"); to make error messages go away.
What would be an appropriate way to do this - for a specific file or part of code only?
Surpressing errors with #'s seems like a bad idea since it apparently slows the code down...
The reason? We have a number of memcached servers in a development LAN that is really unreliable due to the network settings, thereby we are recieving errors multiple times every hour and there's nothing we can do about it except stop using memcache or turning off errors for the whole application, which would be giving us a headache - in the middle of the development stage :)
<?php
// normal code
// error_reporting returns the old error code
$old_error_reporting = error_reporting(0);
// your errorful code
// reset error_reporting to its old value
error_reporting($old_error_reporting);
// normal code
Although it would be a good idea to fix what is actually causing the errors.
You've kind of answered your own question. To do it for a specific file, error_reporting(0); will turn off errors. You can also call it multiple times in a script, I think.
You can also use php exceptions to 'catch' errors over a block of code. For example:
try {
// code to ignore errors for here
} catch {
// you can output a custom error here, but putting nothing here will effectively mean errors are ignored for the try block
}
The script will continue running past the try block, even if there is an error within it. See the PHP Manual Entry for more information.
You can change the error reporting level during runtime:
<?
error_reporting(E_ALL);
... some code ....
error_reporting(0);
... some more code ....
error_reporting(E_ALL);
I know of no other way but I can't think of a case where this wouldn't be sufficient. Can you?
That's really a long time ago but someone like me would maybe use my answer.
When i need to do this kind of stuff, i just put # before the variable in order to NOT display the errors coming from this variable.
example:
switch(#$var!="e") {
....
}

Suppress error with # operator in PHP

In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
If so, in what circumstances would you use this?
Code examples are welcome.
Edit: Note to repliers. I'm not looking to turn error reporting off, but, for example, common practice is to use
#fopen($file);
and then check afterwards... but you can get rid of the # by doing
if (file_exists($file))
{
fopen($file);
}
else
{
die('File not found');
}
or similar.
I guess the question is - is there anywhere that # HAS to be used to supress an error, that CANNOT be handled in any other manner?
Note: Firstly, I realise 99% of PHP developers use the error suppression operator (I used to be one of them), so I'm expecting any PHP dev who sees this to disagree.
In your opinion, is it ever valid to use the # operator to suppress an error/warning in PHP whereas you may be handling the error?
Short answer:
No!
Longer more correct answer:
I don't know as I don't know everything, but so far I haven't come across a situation where it was a good solution.
Why it's bad:
In what I think is about 7 years using PHP now I've seen endless debugging agony caused by the error suppression operator and have never come across a situation where it was unavoidable.
The problem is that the piece of code you are suppressing errors for, may currently only cause the error you are seeing; however when you change the code which the suppressed line relies on, or the environment in which it runs, then there is every chance that the line will attempt to output a completely different error from the one you were trying to ignore. Then how do you track down an error that isn't outputting? Welcome to debugging hell!
It took me many years to realise how much time I was wasting every couple of months because of suppressed errors. Most often (but not exclusively) this was after installing a third party script/app/library which was error free in the developers environment, but not mine because of a php or server configuration difference or missing dependency which would have normally output an error immediately alerting to what the issue was, but not when the dev adds the magic #.
The alternatives (depending on situation and desired result):
Handle the actual error that you are aware of, so that if a piece of code is going to cause a certain error then it isn't run in that particular situation. But I think you get this part and you were just worried about end users seeing errors, which is what I will now address.
For regular errors you can set up an error handler so that they are output in the way you wish when it's you viewing the page, but hidden from end users and logged so that you know what errors your users are triggering.
For fatal errors set display_errors to off (your error handler still gets triggered) in your php.ini and enable error logging. If you have a development server as well as a live server (which I recommend) then this step isn't necessary on your development server, so you can still debug these fatal errors without having to resort to looking at the error log file. There's even a trick using the shutdown function to send a great deal of fatal errors to your error handler.
In summary:
Please avoid it. There may be a good reason for it, but I'm yet to see one, so until that day it's my opinion that the (#) Error suppression operator is evil.
You can read my comment on the Error Control Operators page in the PHP manual if you want more info.
I would suppress the error and handle it. Otherwise you may have a TOCTOU issue (Time-of-check, time-of-use. For example a file may get deleted after file_exists returns true, but before fopen).
But I wouldn't just suppress errors to make them go away. These better be visible.
Yes suppression makes sense.
For example, the fopen() command returns FALSE if the file cannot be opened. That's fine, but it also produces a PHP warning message. Often you don't want the warning -- you'll check for FALSE yourself.
In fact the PHP manual specifically suggests using # in this case!
If you don't want a warning thrown when using functions like fopen(), you can suppress the error but use exceptions:
try {
if (($fp = #fopen($filename, "r")) == false) {
throw new Exception;
} else {
do_file_stuff();
}
} catch (Exception $e) {
handle_exception();
}
Error suppression should be avoided unless you know you can handle all the conditions.
This may be much harder than it looks at first.
What you really should do is rely on php's "error_log" to be your reporting method, as you cannot rely on users viewing pages to report errors. ( And you should also disable php from displaying these errors )
Then at least you'll have a comprehensive report of all things going wrong in the system.
If you really must handle the errors, you can create a custom error handler
http://php.net/set-error-handler
Then you could possibly send exceptions ( which can be handled ) and do anything needed to report weird errors to administration.
I NEVER allow myself to use '#'... period.
When I discover usage of '#' in code, I add comments to make it glaringly apparent, both at the point of usage, and in the docblock around the function where it is used. I too have been bitten by "chasing a ghost" debugging due to this kind of error suppression, and I hope to make it easier on the next person by highlighting its usage when I find it.
In cases where I'm wanting my own code to throw an Exception if a native PHP function encounters an error, and '#' seems to be the easy way to go, I instead choose to do something else that gets the same result but is (again) glaringly apparent in the code:
$orig = error_reporting(); // capture original error level
error_reporting(0); // suppress all errors
$result = native_func(); // native_func() is expected to return FALSE when it errors
error_reporting($orig); // restore error reporting to its original level
if (false === $result) { throw new Exception('native_func() failed'); }
That's a lot more code that just writing:
$result = #native_func();
but I prefer to make my suppression need VERY OBVIOUS, for the sake of the poor debugging soul that follows me.
Most people do not understand the meaning of error message.
No kidding. Most of them.
They think that error messages are all the same, says "Something goes wrong!"
They don't bother to read it.
While it's most important part of error message - not just the fact it has been raised, but it's meaning. It can tell you what is going wrong. Error messages are for help, not for bothering you with "how to hide it?" problem. That's one of the biggest misunderstandings in the newbie web-programming world.
Thus, instead of gagging error message, one should read what it says. It has not only one "file not found" value. There can be thousands different errors: permission denied, save mode restriction, open_basedir restriction etc.etc. Each one require appropriate action. But if you gag it you'll never know what happened!
The OP is messing up error reporting with error handling, while it's very big difference!
Error handling is for user. "something happened" is enough here.
While error reporting is for programmer, who desperately need to know what certainly happened.
Thus, never gag errors messages. Both log it for the programmer, and handle it for the user.
is there not a way to suppress from the php.ini warnings and errors? in that case you can debug only changing a flag and not trying to discovering which # is hiding the problem.
Using # is sometimes counter productive. In my experience, you should always turn error reporting off in the php.ini or call
error_reporting(0);
on a production site. This way when you are in development you can just comment out the line and keep errors visible for debugging.
One place I use it is in socket code, for example, if you have a timeout set you'll get a warning on this if you don't include #, even though it's valid to not get a packet.
$data_len = #socket_recvfrom( $sock, $buffer, 512, 0, $remote_host, $remote_port )
The only place where I really needed to use it is the eval function. The problem with eval is that, when string cannot be parsed due to syntax error, eval does not return false, but rather throws an error, just like having a parse error in the regular script. In order to check whether the script stored in the string is parseable you can use something like:
$script_ok = #eval('return true; '.$script);
AFAIK, this is the most elegant way to do this.
Some functions in PHP will issue an E_NOTICE (the unserialize function for example).
A possible way to catch that error (for PHP versions 7+) is to convert all issued errors into exceptions and not let it issue an E_NOTICE. We could change the exception error handler as follow:
function exception_error_handler($severity, $message, $file, $line) {
throw new ErrorException($message, 0, $severity, $file, $line);
}
set_error_handler('exception_error_handler');
try {
unserialize('foo');
} catch(\Exception $e) {
// ... will throw the exception here
}
Today I encountered an issue that was a good example on when one might want to use at least temporarily the # operator.
Long story made short, I found logon info (username and password in plain text) written into the error log trace.
Here a bit more info about this issue.
The logon logic is in a class of it's own, because the system is supposed to offer different logon mechanisms. Due to server migration issues there was an error occurring. That error dumped the entire trace into the error log, including password info! One method expected the username and password as parameters, hence trace wrote everything faithfully into the error log.
The long term fix here is to refactor said class, instead of using username and password as 2 parameters, for example using a single array parameter containing those 2 values (trace will write out Array for the paramater in such cases). There are also other ways of tackling this issue, but that is an entire different issue.
Anyways. Trace messages are helpful, but in this case were outright harmful.
The lesson I learned, as soon as I noticed that trace output: Sometimes suppressing an error message for the time being is an useful stop gap measure to avoid further harm.
In my opinion I didn't think it is a case of bad class design. The error itself was triggered by an PDOException ( timestamp issue moving from MySQL 5.6 to 5.7 ) that just dumped by PHP default everything into the error log.
In general I do not use the # operator for all the reasons explained in other comments, but in this case the error log convinced me to do something quick until the problem was properly fixed.
You do not want to suppress everything, since it slows down your script.
And yes there is a way both in php.ini and within your script to remove errors (but only do this when you are in a live environment and log your errors from php)
<?php
error_reporting(0);
?>
And you can read this for the php.ini version of turning it off.
I have what I think is a valid use-case for error suppression using #.
I have two systems, one running PHP 5.6.something and another running PHP 7.3.something. I want a script which will run properly on both of them, but some stuff didn't exist back in PHP 5.6, so I'm using polyfills like random_compat.
It's always best to use the built-in functions, so I have code that looks like this:
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else {
#include "random_compat/random.php"; // Suppress warnings+errors
if(function_exists("random_bytes")) {
$bytes = random_bytes(32);
} else if(function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes(4);
} else {
// Boooo! We have to generate crappy randomness
$bytes = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',64)),0,32);
}
}
The fallback to the polyfill should never generate any errors or warnings. I'm checking to see that the function exists after attempting to load the polyfill which is all that is necessary. There is even a fallback to the fallback. And a fallback to the fallback to the fallback.
There is no way to avoid a potential error with include (e.g. using file_exists) so the only way to do it is to suppress warnings and check to see if it worked. At least, in this case.
I can think of one case of use, for auto-increment a non existing array key.
<?php
$totalCars = [];
// suppressing error to avoid a getting a warning error
#$totalCars['toyota']++;
var_export($totalCars);
// array (
// 'toyota' => 1,
// )
// not suppressing error will throw a warning
// but still allows to increase the non-existing key value
$totalCars['ford']++;
var_export($totalCars);
// Warning: Undefined array key "ford"
// array (
// 'toyota' => 1,
// 'ford' => 1,
// )
See this example output here: https://onlinephp.io/c/433f0
If you are using a custom error handling function and wanna suppress an error (probably a known error), use this method. The use of '#' is not a good idea in this context as it will not suppress error if error handler is set.
Write 3 functions and call like this.
# supress error for this statement
supress_error_start();
$mail_sent = mail($EmailTo, $Subject, $message,$headers);
supress_error_end(); #Don't forgot to call this to restore error.
function supress_error_start(){
set_error_handler('nothing');
error_reporting(0);
}
function supress_error_end(){
set_error_handler('my_err_handler');
error_reporting('Set this to a value of your choice');
}
function nothing(){ #Empty function
}
function my_err_handler('arguments will come here'){
//Your own error handling routines will come here
}
In my experience I would say generally speaking, error suppress is just another bad practice for future developers and should be avoided as much as possible as it hides complication of error and prevent error logging unlike Exception which can help developers with error snapshot. But answering the original question which say "If so, in what circumstances would you use this?".
I would say one should use it against some legacy codes or library that don't throw exception errors but instead handles bad errors by keep the error variables with it's object(speaking of OOP) or using a global variable for logging error or just printing error all together.
Take for example the mysqli object
new mysqli($this->host, $this->username, $this->password, $this->db);
This code above barely or never throw an exception on failed connection, it only store error in mysqli::errno and mysli::error
For modern day coding the one solution I found was to suppress the ugly error messages (which helps no one especially when on production server where debug mode is off) and instead devs should throw their own exception. Which is consider modern practice and help coders track errors more quickly.
$this->connection = #new mysqli($this->host, $this->username, $this->password, $this->db);
if($this->connection->connect_errno)
throw new mysqli_sql_exception($this->connection->error);
You can notice the use of suppression # symbol to prevent the ugly error display should incase error display was turned on development server.
Also I had to throw my own exception. This way I was able to use # symbol and same time I didn't hide error nor did I just make my own guess of what the error could be.
I will say if used rightly, then it is justifiable.
I use it when trying to load an HTML file for processing as a DOMDocument object. If there are any problems in the HTML... and what website doesn't have at least one... DOMDocument->loadHTMLFile() will throw an error if you don't suppress it with #. This is the only way (perhaps there are better ones) I've ever been successful in creating HTML scrapers in PHP.

Categories