I am investigating a still undiscovered zero day exploit in Revive Adserver. An attack happen on one location and the attacker was able to invoke an eval which was already in the development and production version of Revive Adserver code base.
I have investigated the access_logs and they indicate the user was doing a POST attack on delivery script fc.php but the payload of POST still remains unclear.
The code base of Revive Adserver is very mixed, old and weird at times. There are lots of points where an eval is called in the code, and one might find something like:
$values = eval(substr(file_get_contents(self::$file), 6));
Which is actually a Smarty template thing, but it looks really scary.
As mentioned, lots and lots of eval appearances are throughout the code and it would take a whole lot time to go through each one at this time.
Is there a possibility to override eval function in PHP to display some trace information, i.e. from which file it was called, on which line did it occur?
If not, is it possible to do this by modifying PHP's C/C++ source code and recompiling it altogether?
Or is there a PHP extension or some tool which can trace all eval callbacks throughout a script?
And if there's no such thing, it would be great if someone would develop it since it would speed up investigating malicious code containing eval's.
is there a possibility to override eval function in PHP to display some trace information, i.e. from which file it was called, on which line did it occur?
Sort of.
You can add eval to disable_functions in php.ini. Then when you call eval you'll get the fatal error function eval not found or such.
Then with a custom error handler.
set_error_handler(function($errno, $errstr, $errfile, $errline){
if(false !== strpos($errstr,'eval')){
throw new Exception();
}else{
return false; //see below
}
//debug_print_backtrace() - I prefer exceptions as they are easier to work with, but you can use this arcane thing too.
});
Or something like that (untested).
Unfortunately you cannot redefine eval as your own function. Eval is not really a function, its a language construct like isset, empty, include etc... For example function_exists('empty') is always false. Some are just more "function" like then others.
In any case you'll probably have to disable eval, I cant really think of a way around that.
Tip
Don't forget you can do this:
try{
throw new \Exception;
}catch(\Exception $e){
echo $e->getTraceAsString();
}
Which both suppresses the exception (so execution continues), and gives you a nice stacktrace.
Tip
http://php.net/manual/en/function.set-error-handler.php
It is important to remember that the standard PHP error handler is completely bypassed for the error types specified by error_types unless the callback function returns FALSE
So given the above, you can/should return false for all other errors. Then PHP will report them. I am not sure it really matters much in this case, as this isn't really meant to be in production code, but I felt it worth mentioning.
Hope it helps.
EDIT: It turned out that what I stated in this question was totally wrong. The code was actually turning off error reporting explicitly prior to autoloading, in places where I hadn't found it.
So this question is basically useless. The accepted answer is correct.
In my current configuration, whenever some PHP file has fatal errors such as syntax errors or calling a function that does not exist, I usually get an error message such like:
Parse error: syntax error, unexpected <whatever> in /path/to/file.php on line XXX
or
Fatal error: Call to undefined function whatever() in /path/to/file.php on line YYY
or the like in the very output.
However, I am using third-party libraries which use a third-party autoloader. Whenever there's a fatal error in any of the autoloaded classes (including parse errors or calling unexisting functions - actually not completely sure about the latter but definitely of the parse error case), I just get a blank page, and not only that: no error is even logged in Apache's error_log file, where usually PHP fatal errors would be logged. So debugging becomes impossible.
I can't stress this enough: this only happens when the fatal error is in some autoloaded file. In every other case (including of course errors in files included via require(), include() and the like), the same errors do show up in the output and in the error_log.
I didn't write the autoloader code, but it's basically like this:
// no idea why this line, but I don't think it's relevant:
ini_set('unserialize_callback_func', 'spl_autoload_call');
spl_autoload_register(array('My_Autoloader', 'autoload'), true);
class My_Autoloader {
static function autoload($classname) {
$filename = //.... computes $filename from $classname
require_once($filename);
}
}
There must be a way to have the autoloader throw errors the same way they would be thrown (and handled) if the errors were not in an autoloaded file, right?
How do I get that?
The only way that the code would behave as you suggest is if the third party code is overriding the error reporting. (EDIT by OP: Yep, it turns out it actually was.) That is usually considered good practice for production systems, but it should be logging the error.
That your third party code is causing such errors gives me pause to wonder about its quality, but we'll ignore that for now.
PHP's built in mechanisms will handle the reporting (to the browser) and the logging (to file). Non fatal errors can be managed by your own code after calling set_error_handler() however fatal errors are not handed off via this route. It is possible to trap and handle fatal errors in your own code using register_shutdown_function(). But start by checking your log files.
If, as you say, both error logging and error reporting are disabled, then stop using this third party code - it is toxic.
Syntax Error Check only on Command Line
With php -l somefile.php from PHP
shell_exec('php -l /fullpath/to/somefile.php')
but you have to analyse the respone string for errors.
Normal response No syntax errors detected in somefile.php
In PHP <= 5.0.4 there was php.net/manual/en/function.php-check-syntax.php
Here a fatal error catch that works:
register_shutdown_function(function(){
$err=error_get_last();
if($err['type']===1){
/*you got an fatal error do something, write it to an file*/
#file_put_contents(var_export($err,true),'myfatalerror.log');
}
});
Hope that helps:)
Use php exception so you can call your file into
function inverse($x) {
if (!$x) {
throw new Exception('Division par zéro.');
}
return 1/$x;
}
try {
echo inverse(5) . "\n";
echo inverse(0) . "\n";
} catch (Exception $e) {
echo 'Exception reçue : ', $e->getMessage(), "\n";
}
I want to override the default PHP error handler.I'm sure this has been implemented countless times.
I've found the following projects, but most seem quite old and small projects.
I would primarily like to have:
Development mode, that simply displays all errors/notifications
Production mode, that allows displaying clean custom lay-out pages to the user
Logging to text file (i don't have admin access to the webserver, so can't set this up through the PHP settings)
Send warning e-mails on serious errors
Log to database
How can this be done in php?
You can use set_error_handler function to set your custom error handler and then do whatever you'd like with it.
The best practice, IMO, is to throw ErrorException when error occurs and handle it with try/catch (Note: with handling I don't mean muting errors). For example:
function exception_error_handler($errno, $errstr, $errfile, $errline ) {
throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
}
set_error_handler("exception_error_handler");
try {
//Some code that may produce error
} catch (ErrorException $e) {
$someLogger->log($e->getMessage());
}
Instead of logger you may have your own custom class that will implement your requirements. So if any of already existing source meets your needs use one, otherwise create.
Note #1: If you want to do something on fatal errors (logging comes in my mind) you can use register_shutdown_function
Note #2: You said that classes/projects you've found are small. There are two things. First, you can't measure how good code is with LOC. Second, there;s not really much to do with errors.
Edit:
In general, it's not common and not even acceptable to re-implement everything from the ground when you develop new project. You should build your own libraries once and then use them in your projects. Personally, I use KLogger for logging stuff and I am happy with it.
I've been reading on in particular 'error logging' And I have come up with the function 'error_log' which seem to be a good tool to use to handle the error logging. But how is the smoothest and best way to use it?
If I have a
try {
//try a database connection...
} catch (PDOException $e) {
error_log($e->getMessage(), 3, "/var/tmp/my-errors.log");
}
This would log the error in the my-errors.log file. But what If I sometime need to change the position of where the file is, a new folder, or something. If I have tons of files I need to change them all.
Now I started of thinking to use a variable to set the path to the error log. Sure that could work, but what If I want to use the error_log in a function or class method? Then I would need to set the variable as global, but that is considered bad practise! But what If I shouldn't use the function deep in a class, wouldn't that also be considered bad practise? What is a good solution here?
<?php
function legit() {
try {
if (1 == 1) {
throw new Exception('There was an error here');
}
} catch (Exception $e) {
throw new Exception('throw the error to the try-catch outside the function...');
}
}
try {
legit();
} catch (Exception $e) {
echo 'error here' . $e->getMessage();
//log it
}
This is an example of what I was talking about above (Not having the logging deep in a class/function... Is it a good way?)
Furtheron:
I am not quite sure how I should use the Exceptions in general. Let's say I want to do a INSERT to a database with SQL inside a method, would I use a try/catch and then rethrow the exception if it fails? Is that considered good practise? Examples please.
Firstly, I'd like to commend you for looking at the standard error methods within PHP. Unfortunately error_log has some limitations as you found out.
This is a long answer, read on to find out about:
Errors
Logging the error directly vs trigger_error and set_error_handler
Where good errors go bad - Fatal Errors.
Exceptions
SPL
What to do with them?
Code
Setup
Usage
TL;DR Use trigger_error for raising errors and set_error_handler for logging them.
Errors
=========
When things don't go as expected in your program, you will often want to raise an error so that someone or something is notified. An error is for a situation where the program may continue, but something noteworthy, possibly harmful or erroneous has occurred. At this point many people want to log the error immediately with their logging package of choice. I believe this is exactly the wrong thing to do. I recommend using trigger_error to raise the error so that it can be handled with a callback set by set_error_handler. Lets compare these options:
Logging the error directly
So, you have chosen your logging package. Now you are ready to spread the calls to your logger wherever an error occurs in your code. Lets look at a single call that you might make (I'll use a similar logger to the one in Jack's answer):
Logger::getLogger('standard')->error('Ouch, this hurts');
What do you need in place to run this code?
Class: Logger
Method: getLogger
Return: Object with method 'error'
These are the dependencies that are required to use this code. Everyone who wants to re-use this code will have to provide these dependencies. This means that a standard PHP configuration will no longer be sufficient to re-use your code. With the best case, using Dependency Injection you still require a logger object to be passed into all of your code that can emit an error.
Also, in addition to whatever the code is responsible for, it also has responsibility for logging the error. This goes against the Single Responsibility Principle.
We can see that logging the error directly is bad.
trigger_error to the rescue
PHP has a function called trigger_error which can be used to raise an error just like the standard functions do. The error levels that you use with it are defined in the error level constants. As a user you must use one of the user errors: E_USER_ERROR, E_USER_WARNING or the default value E_USER_NOTICE (other error levels are reserved for the standard functions etc.). Using a standard PHP function to raise the error allows the code to be re-used with any standard PHP installation! Our code is no longer responsible for logging the error (only making sure that it is raised).
Using trigger_error we only perform half of the error logging process (raising the error) and save the responsibility of responding to the error for the error handler which will be covered next.
Error Handler
We set a custom error handler with the set_error_handler function (see the code setup). This custom error handler replaces the standard PHP error handler that normally logs messages in the web server error log depending on the PHP configuration settings. We can still use this standard error handler by returning false within our custom error handler.
The custom error handler has a single responsibility: to respond to the error (including any logging that you want to do). Within the custom error handler you have full access to the system and can run any sort of logging that you want. Virtually any logger that uses the Observer design pattern will be ok (I'm not going to go into that as I believe it is of secondary importance). This should allow you to hook in new log observers to send the output to where you need it.
You have complete control to do what you like with the errors in a single maintainable part of your code. The error logging can now be changed quickly and easily from project to project or within a single project from page to page. Interestingly even # suppressed errors make it to the custom error handler with an errno of 0 which if the error_reporting mask is respected should not be reported.
When Good Errors go Bad - Fatal Errors
It is not possible to continue from certain errors. The following error levels can not be handled from a custom error handler: E_ERROR, E_PARSE, E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING. When these sorts of errors are triggered by a standard function call the custom error handler is skipped and the system shuts down. This can be generated by:
call_this_function_that_obviously_does_not_exist_or_was_misspelt();
This is a serious mistake! It is impossible to recover from, and the system is about to shut down. Our only choice is to have a register_shutdown_function deal with the shutdown. However this function is executed whenever a script completes (successful, as well as unsuccessful). Using this and error_get_last some basic information can be logged (the system is almost shutdown at this point) when the last error was a fatal error. It can also be useful to send the correct status code and show an Internal Server Error type page of your choosing.
Exceptions
=============
Exceptions can be dealt with in a very similar way to basic errors. Instead of trigger_error an exception will be thrown by your code (manually with throw new Exception or from a standard function call). Use set_exception_handler to define the callback you want to use to handle the exception with.
SPL
The Standard PHP Library (SPL) provides exceptions. They are my preferred way of raising exceptions because like trigger_error they are a standard part of PHP which does not introduce extra dependencies to your code.
What to do with them?
When an exception is thrown there are three choices that can be made:
Catch it and fix it (the code then continues as if nothing bad happened).
Catch it, append useful information and re-throw it.
Let it bubble up to a higher level.
At each level of the stack these choices are made. Eventually once it bubbles up to the highest level the callback you set with set_exception_handler will be executed. This is where your logging code belongs (for the same reasons as the error handling) rather than spread throughout catch statements in your code.
3. Code
Setup
Error Handler
function errorHandler($errno , $errstr, $errfile, $errline, $errcontext)
{
// Perform your error handling here, respecting error_reporting() and
// $errno. This is where you can log the errors. The choice of logger
// that you use is based on your preference. So long as it implements
// the observer pattern you will be able to easily add logging for any
// type of output you desire.
}
$previousErrorHandler = set_error_handler('errorHandler');
Exception Handler
function exceptionHandler($e)
{
// Perform your exception handling here.
}
$previousExceptionHandler = set_exception_handler('exceptionHandler');
Shutdown Function
function shutdownFunction()
{
$err = error_get_last();
if (!isset($err))
{
return;
}
$handledErrorTypes = array(
E_USER_ERROR => 'USER ERROR',
E_ERROR => 'ERROR',
E_PARSE => 'PARSE',
E_CORE_ERROR => 'CORE_ERROR',
E_CORE_WARNING => 'CORE_WARNING',
E_COMPILE_ERROR => 'COMPILE_ERROR',
E_COMPILE_WARNING => 'COMPILE_WARNING');
// If our last error wasn't fatal then this must be a normal shutdown.
if (!isset($handledErrorTypes[$err['type']]))
{
return;
}
if (!headers_sent())
{
header('HTTP/1.1 500 Internal Server Error');
}
// Perform simple logging here.
}
register_shutdown_function('shutdownFunction');
Usage
Errors
// Notices.
trigger_error('Disk space is below 20%.', E_USER_NOTICE);
trigger_error('Disk space is below 20%.'); // Defaults to E_USER_NOTICE
// Warnings.
fopen('BAD_ARGS'); // E_WARNING fopen() expects at least 2 parameters, 1 given
trigger_error('Warning, this mode could be dangerous', E_USER_WARNING);
// Fatal Errors.
// This function has not been defined and so a fatal error is generated that
// does not reach the custom error handler.
this_function_has_not_been_defined();
// Execution does not reach this point.
// The following will be received by the custom error handler but is fatal.
trigger_error('Error in the code, cannot continue.', E_USER_ERROR);
// Execution does not reach this point.
Exceptions
Each of the three choices from before are listed here in a generic way, fix it, append to it and let it bubble up.
1 Loggable. Let it bubble up:
// Don't catch it.
// Either it will be caught by error handler
// Or PHP will log it as a fatal error
2 Fixable:
try
{
$value = code_that_can_generate_exception();
}
catch (Exception $e)
{
// We decide to emit a notice here (a warning could also be used).
trigger_error('We had to use the default value instead of ' .
'code_that_can_generate_exception\'s', E_USER_NOTICE);
// Fix the exception.
$value = DEFAULT_VALUE;
}
// Code continues executing happily here.
3 Append:
Observe below how the code_that_can_generate_exception() does not know about $context. The catch block at this level has more information which it can append to the exception if it is useful by rethrowing it.
try
{
$context = 'foo';
$value = code_that_can_generate_exception();
}
catch (Exception $e)
{
// Raise another exception, with extra information and the existing
// exception set as the previous exception.
throw new Exception('Context: ' . $context, 0, $e);
}
It has been requested to make this answer more applicable to a larger audience, so here goes.
Preamble
Error handling is usually not the first thing you will want to think about when writing an application; as an indirect result it gets bolted on as the need arises. However, it doesn't have to cost much to leverage existing mechanisms in PHP either.
It's a fairly lengthy article, so I've broken it down into logical sets of text.
Triggering errors
Within PHP there are two distinct ways for errors to get triggered:
Errors from PHP itself (e.g. using undefined variables) or internal functions (e.g. imagecreatefromjpeg could not open a file),
Errors triggered by user code using trigger_error,
These are usually printed on your page (unless display_errors is switched off or error_reporting is zero), which should be standard for production machines unless you write perfect code like me ... moving on); those errors can also be captured, giving you a glimpse into any hitch in the code, by using set_error_handler explained later.
Throwing exceptions
Exceptions are different from errors in three main ways:
The code that handles them may be far removed from the place where they are thrown from. The variable state at the origin must be explicitly passed to the Exception constructor, otherwise you only have the stack trace.
The code between the exception and the catch is skipped entirely, whereas after an error occurs (and it was not fatal) the code still continues.
They can be extended from the main Exception class; this allows you to catch and handle specific exceptions but let others bubble down the stack until they're caught by other code. See also: http://www.php.net/manual/en/language.exceptions.php
An example of throwing exceptions is given later on.
Handling errors
Capturing and handling errors is pretty straightforward by registering an error handler, e.g.:
function my_error_handler($errno, $errstr, $errfile = 'unknown', $errline = 0, array $errcontext = array())
{
// $errcontext is very powerful, it gives you the variable state at the point of error; this can be a pretty big variable in certain cases, but it may be extremely valuable for debugging
// if error_reporting() returns 0, it means the error control operator was used (#)
printf("%s [%d] occurred in %s:%d\n%s\n", $errstr, $errno, $errfile, $errline, print_r($errcontext, true));
// if necessary, you can retrieve the stack trace that led up to the error by calling debug_backtrace()
// if you return false here, the standard PHP error reporting is performed
}
set_error_handler('my_error_handler');
For kicks, you can turn all the errors into an ErrorException as well by registering the following error handler (PHP >= 5.1):
function exception_error_handler($errno, $errstr, $errfile, $errline)
{
throw new ErrorException($errstr, $errno, 0, $errfile, $errline);
}
set_error_handler("exception_error_handler");
Handling exceptions
In most cases you handle exceptions as close as possible to the code that caused it to allow for backup plans. For instance, you attempt to insert a database record and a primary key constraint exception is thrown; you can recover by updating the record instead (contrived as most databases can handle this by themselves). Some exceptions just can't be handled locally, so you want those to cascade down. Example:
function insertRecord($user, $name)
{
try {
if (true) {
throw new Exception('This exception should not be handled here');
}
// this code is not executed
$this->db->insert('users', array('uid' => $user, 'name' => $name));
} catch (PDOException $e) {
// attempt to fix; an exception thrown here will cascade down
throw $e; // rethrow exception
// since PHP 5.3.0 you can also nest exceptions
throw new Exception("Could not insert '$name'", -1, $e);
} catch (WhatEverException $e) {
// guess what, we can handle whatever too
}
}
The slippery exception
So what happens when you don't catch an exception anywhere? You can catch that too by using set_exception_handler.
function my_exception_handler(Exception $exception)
{
// do your stuff here, just don't throw another exception here
}
set_exception_handler('my_exception_handler');
This is not encouraged unless you have no meaningful way to handle the exception anywhere in your code.
Logging the error / exception
Now that you're handling the error you have to log it somewhere. For my example, I use a project that Apache ported from Java to PHP, called LOG4PHP. There are others, but it illustrates the importance of a flexible logging facility.
It uses the following concepts:
Loggers - named entities that perform logging upon your behalf; they can be specific to a class in your project or shared as a common logger,
Appenders - each log request can be sent to one or more destinations (email, database, text file) based on predefined conditions (such as log level),
Levels - logs are classified from debug messages to fatal errors.
Basic usage to illustrate different message levels:
Logger::getLogger('main')->info('We have lift off');
Logger::getLogger('main')->warn('Rocket is a bit hot');
Logger::getLogger('main')->error('Houston, we have a problem');
Using these concepts you can model a pretty powerful logging facility; for example, without changing above code, you can implement the following setup:
Collect all debug messages in a database for developers to look at; you might disable this on the production server,
Collect warnings into a daily file that you might email at the end of the day,
Have immediate emails sent on fatal errors.
Define it, then use it :)
define('ERRORLOG_PATH', '/var/tmp/my-errors.log');
error_log($e->getMessage(), 3, ERRORLOG_PATH);
Alternatively just make the third parameter of error_log optional, defaulting it to the path you want.
As an addition, for error logging (and in fact all logging) I would use event dispatcher, in a way that symfony framework does.
Take a look at this sf component (its very lightweight dependency, entire framework is not required, there are maybe 3 relevant php classes and 2 interfaces)
https://github.com/symfony/EventDispatcher
this way you can create dispatcher somewhere in your application bootstrap:
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\EventDispatcher\Event;
$dispatcher = new EventDispatcher();
//register listeners
$dispatcher->addListener('application.log', function (Event $event) {
//do anything you want
});
Then you can raise an event in any place of your code by something like
$dispatcher->dispatch(new GenericEvent('application.log', array('message' => 'some log', 'priority' => 'high'));
Of course you can subclass event class with your own events:
class LogEvent extends GenericEvent {
public function __construct($message, $priority = 'INFO') {
parent::__construct('application.log', array('message'=>$message,'priority'=>$priority));
}
public function getMessage() { return $this->getArgument('message'); }
public function getPriority() { return $this->getArgument('priority'); }
}
// now raising LogEvent is much cleaner:
$dispatcher->dispatch(new LogEvent('some log'));
This will also allow you to create more customized events like ExceptionEvent
class ExceptionEvent extends GenericEvent {
public function __construct(Exception $cause) {
parent::__construct('exception.event', array('cause' => $cause));
}
}
And handle them accordingly.
Advantages
you separate logging logic from your application
you can easily add and remove loggers in runtime
you can easily register as many loggers you want (i.e. DebugLogger which logs everything into text file, ErrorLogger which logs only errors to error_log, CriticalLogger which logs only critical errors on production environment and sends them by email to administrator, etc.)
you can use event dispatcher for more things than just logging (in fact for every job for which observer pattern is appropriate)
actual logger becomes nothing more than 'implementation detail' - it's so easy to replace that it doesn't matter where your logs go - you will be able to replace log destination at any time without having to refactor names of your methods, or changing anything in code.
it will be easy to implement complex log routing logic or globally change log format (by configuring loggers)
everything becomes even more flexible if you use dependency injection for both listeners (loggers) and dispatcher (into classes that notifies log event)
Actual Logging
As someone already stated, I would advice to go with out-of-the-box library, like mentioned Monolog, Zend_Log or log4php, there is probably no reason to code these things by hand (and the last thing you want is broken error logger!)
PS: Treat code snippets as pseudo-code, I didn't test them. Details can be found in docs of mentioned libraries.
If you still need a custom way of handling logs (i.e. you don't want to use standard trigger_error()), I'd recommend looking at Zend_Log (http://framework.zend.com/manual/en/zend.log.overview.html) for these reasons:
this can be used as a standalone component, ZF is not a full-stack framework. You may copy only Zend_Loader and Zend_Log namespaces , instantiate Zend_Loader and use it. See below:
require_once('Zend/Loader/Autoloader.php');
$loader = Zend_Loader_Autoloader::getInstance();
$logger = new Zend_Log();
$writer = new Zend_Log_Writer_Stream('php://output');
$logger->addWriter($writer);
$logger->log('Informational message', Zend_Log::INFO);
You were offered many logging libraries, but I believe that Zend team (founders of PHP lang) know what they do
You may use any writers (database, STDOUT - see above, file, whatever, you may customize it to write your own to post log messages to a web service even)
log levels
may change log format (but the one that is out-of-box is great to my mind). The above example with standard formatter will produce something like this:
2012-05-07T23:57:23+03:00 INFO (6): Informational message
just read the reference, it may be configured to catch php errors
If the PHP way of handling errors is not flexible enough for you (e.g. sometimes you want to log to database, sometimes to file, sometimes whatever else), you need to use / create a custom PHP logging framework.
You can browse through the discussion in https://stackoverflow.com/questions/341154/php-logging-framework or just go and give the top choice, KLogger, a try. I am not sure, though, if it supports custom destinations for logging. But at the very least, it's a small and easy-to-read class and you should be able to extend it further for your own needs.
I'd go with Tom vand der Woerdt's logging solution, simplest and most effective for your requirements.
As for the other question:
You do not need to catch / rethrow the exception inside the function unless there is a specific kind of exception you have a solution for.
Somewhat simplistic example:
define('ERRORLOG_PATH', '/var/tmp/my-errors.log');
function do_something($in)
{
if (is_good($in))
{
try {
return get_data($in);
} catch (NoDataException $e) {
// Since it's not too big a deal that nothing
// was found, we just return false.
return false;
}
} else {
throw new InvalidArguementException('$in is not good');
}
}
function get_data($data)
{
if (!is_int($data))
{
InvalidArguementException('No');
}
$get = //do some getting.
if (!$get)
{
throw new NoDataException('No data was found.');
} else {
return $get;
}
}
try {
do_something('value');
} catch (Exception $e) {
error_log($e->getMessage(), 3, ERRORLOG_PATH);
die ('Something went wrong :(');
}
Here you'd only catch the NoDataException because you have some other logic to sort that out, all other errors fall though to the first catch and are handled by the top catch because all thrown exceptions must at some point in their hierarchy inherit from Exception.
Obviously if you throw an Exception again (outside the initial try {} or in the top catch {}) your script will exit with an Uncaught Exception error and error logging is lost.
If you wanted to go all the way, you could also implement a custom error handling function using set_error_handler() and put your logging in there too.
There are two challenges to meet. The first is to be flexible in logging to different channels. In this case you should take a look at for example Monolog.
The second challenge is to weave in that logging into your application. Imho the best case is no to use logging explicitly. Here for example aspect orientation comes in handy. A good sample is flow3.
But this is more a bird's eye view on the problem...
I use my own function which allows me to write multiple types of log files by setting or changing the second parameter.
I get past the conceptual questions you are asking about "what is the right way" to do it, by including the log function in a library of functions that I consider "native" to my development projects.
That way I can consider those functions to be just part of "MY" php core, like date() or time()
In this basic version of dlog, I also handle arrays. while I originally used this to log errors, I ended up using it for other 'quick and dirty' short term tracking such as logging the times that the code entered a certain section, and user logins, etc.
function dlog($message,$type="php-dlog")
{
if(!is_array($message) )
$message=trim($message);
error_log(date("m/d/Y h:i:s").":".print_r($message,true)."\n",3, "/data/web/logs/$_SERVER[HTTP_HOST]-$type.log");
}
Most error loggers and exception loggers are useless to most people because they haven't got access to the log files.
I prefer to use a custom error handler and a custom exception handler and have those, during production, log errors directly to the database if the system is running on a database.
During development, when display_errors are set, they log nothing as all errors gets raised in the browser.
And as a side note to that: Don't make your custom error handler throw exceptions! It's a really bad idea. It can cause bugs in the buffer handler and in some of the extensions. Also some core PHP functions like fopen() causes a warning or notice on failure, these should be dealt with accordingly and should not halt the application has an exception would do.
The mention of having the error handler throwing exceptions in the PHP documentation is a note bug.
As KNL states, which is quite right, but unfortunately as of yet undocumented, having errors throwing exceptions is not something recommended by the PHP developers and someone made a mistake in the documentation. It can indeed cause bugs with many extensions so don't do it.
This has already been debated on #PHP on irc.
The "However, errors can be simply translated to exceptions with ErrorException." on http://php.net/manual/en/language.exceptions.php is going to be removed.
For example, if we try to get to some api but fail, or try to connect to our database but also fail.
There are several ways to deal with this:
Bubble the error into your server log file
Write the error to a text file
Store the errors in a database table
You can user PHP Error Handling. See set_error_handler
php error handling is tricky, and there are many points to take into account. In php, we have 3 types of errors:
Fatal errors, like calling an undefined function. There's not much you can do about them. At least, set display_errors=0, log_errors=1 in php.ini, so that they won't be displayed. Better yet, write a petition on bugs.php.net and demand eliminating fatals altogether. Fatal errors are such a shame!
"Normal" warnings and notices. The best is to convert them into exceptions, see example #1
Exceptions - the funny part. You can catch them in your code when appropriate + install a generic exception handler as a last chance option to log the error and tell users that something wrong is happened.
There is a default function of PHP to log errors; error_log
Example from PHP.net:
<?php
// Send notification through the server log if we can not
// connect to the database.
if (!Ora_Logon($username, $password)) {
error_log("Oracle database not available!", 0);
}
// Notify administrator by email if we run out of FOO
if (!($foo = allocate_new_foo())) {
error_log("Big trouble, we're all out of FOOs!", 1,
"operator#example.com");
}
// another way to call error_log():
error_log("You messed up!", 3, "/var/tmp/my-errors.log");
?>
Be aware of extensive logging. Especially on productive Systems.
If you just try to handle programming errors, first you should raise a debug mode flag in your code. strict php handling is also very helpful. (set in php.ini or by your apache vhost settings).
dont try browser/screen debugging. as mentioned in other postings. set diplay_errors=0 and log_errors=1 in your php ini (or set it by your apache vhost settings)
then open a console window and do: tail -f
on your php_error.log (path is set in php.ini or by apache vhost settings)
if you use a framework. use the framework debugging tools (cake)
if you have your own framework/or just code. You probably should write an own exception handler class with debug capabilities.
example:
class MyFactory{
public static function getLogger(){
return new MyLogger();
}
}
class ExampleExceptionWithLogging extends Exception{
public __construct ($message=''){
MyFactory::getLogger()->exception($message,$this->getTrace());
}
}
class MyLogger{
/**
* #var string $logfile
**/
protected $logFile = '/var/log/php_error.log';
/**
* #param string $message
* #param array $stackTrace
**/
public function exception($message,$stackTrace){
$prefix = '[EXCEPTION] ';
$this->writeOut($prefix.$message.' '.print_r($stackTrace,TRUE));
}
/**
* writes $value to given Logfile.
* #param string $value
* #param string|NULL $logFile FileName with full path
*/
protected function writeOut($value,$logFile = NULL){
if(is_null($logFile)){
$logFile = $this->logFile;
}
error_log($value,3,$logFile);
}
}
Usage:
throw new ExampleExceptionWithLogging('Sample Message');
There are 3 issues here:
redirecting the program flow to the error handling
Capturing information relevant to resolving the error
Making that information available to the relevant parties
As others have said, (1) can be dealt with using set_error_handler(), note that you can instantiate your own customer errors within your code, e.g.
if (!$_SESSION['authenticated_user']) {
$login="<a href='/login.php'>login</a>";
trigger_error("Not authorized please $login", E_USER_WARNING);
}
The established practice for capturing information is the stack trace - and this is indeed available in PHP, however this is a static snapshot of the state of the PHP code at the point the error occurred - if you've tested your code properly, then the fault likely has nothing to do with your PHP code. Its a good indicator of where you should try to fix your code, but not a good indicator of what you need to fix. The stacktrace is still a useful tool, but it was often the only tool for programs which were running for any length of time, other than recording detailled logs of what the program did in the run up to the error. As well as an obvious performance hit, wading through several megabytes of logfiles looking for an error can be like looking for a needle in a haystack. However since PHP programs usually just generate a web page the exit, this presents the opportunity to accumulate the detailled log of events in a PHP variable, then you can choose to write the variable to a file only once an error occurs.
Like most things about programming, there is a trade-off here - if an error has happenned that you didn't expect/ plan for, how do you know that you're error handling is going to work?
In terms of making the data available, you probably should not record it in a database - chances are your program may have failed because the database isn't working properly - error handling must be very, very robust. Dumping it into a uniquely named file is a good approach which avoids the file contention problems you'd have with appending to a consolidated log file. Or use the syslog facility. You might even email a copy of the error out (but again this is relying on another complex subsystem).
HTH
C.