Is it considered bad practice to let die() live in a production enviroment? Just happened to read this article http://www.phpfreaks.com/blog/or-die-must-die where the author fies upon people who use such a thing in a production enviroment. So shouldn't I code this way:
$connection = mysql_connect($db_host, $db_username, $db_password);
if (!$connection){
die ("Could not connect to the database.");
}
How do you code?
You don't die everytime you make a mistake, do you. Why should your application do?
the correct way is to intercept errors and process them in a context-dependent fashion, for example
try {
application goes here
$conn = mysql_connect(...)
if(!$conn)
throw ....
....
} catch(Exception $err) {
if(PRODUCTION) {
log error
say something nice
}
if(DEBUG) {
var_dump($err);
}
}
die() is a very rough statement... Useful (quite) in developer stage, i found it wrong in production stage.
You should analyze, monitor and log fatal errors, and displaying adequate messages like "It's impossible to connect to the server, please try in few minutes or write to admin#yourhost.com to notify the problem"!
Well in a productive enivornment, you should never expose any errors/information about the system to the outside world.
Important is, to log all errors. If you are talking about a website, I would send an HTTP status 500 as response.
Related
i hope someone can help me, ive been struggling on this for 3 days now.
here is my situation, i am making a website with php, and i have 2 computers as servers with wampserver...
main server is 192.168.0.10
secondary server is 192.168.0.12
and a virtual machine where im trying out if the remote conection works
my website is hosted on my main server so the conexion query is...
$conexion = mysqli_connect("localhost","root","","dbdaq");
it works fine, i even have master to master replication on the servers.
but what i need to do is that when main server is down it needs to try to conect to the database on the seondary database, so im trying to use the code...
$conexion = mysqli_connect("localhost","root","","dbdaq");
if (!$conexion){
$conexion = mysqli_connect("192.168.0.12","root","password","dbdaq");
}
but when i manually turn of the mysql services on main server it doesnt actually try to use the other servers database...
it keeps giving me the error that says
Warning: mysqli_connect(): (HY000/2002): No connection could be made because the target machine actively refused it. in C:\wamp64\www\PaginaV2\Pagina\PHP y JS\Procesoalumno.php on line 2
Using # to suppress error messages is a bad idea, and a bad practice. A better solution is to set mysqli to throw exceptions on failure, and catch the exception.
You can set mysqli to throw exceptions by adding the following line before you make your connection(s).
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
Using exceptions over suppressing the error, you can extract the relevant error-message and error-code if you need them for specific handling or logging, in a much cleaner way than you can with suppressing the errors.
Though it might look like its more complex, the reason for this is that we also test the second connection (which you should do anyways, regardless how you do it) - and we test the second connection the same way we test the first connection, by a second try/catch inside the first catch block.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // errors in MySQLi now throws exceptions
try {
$conexion = mysqli_connect("localhost","root","","dbdaq");
} catch (Exception $e) {
try {
$conexion = mysqli_connect("192.168.0.12","root","password","dbdaq");
} catch (Exception $e) {
echo "Connecting to both databases failed";
exit;
}
}
Try this: use php's # operator (the error control operator) to suppress the error message from the first connection failure. Try this.
$conexion = #mysqli_connect("localhost","root","","dbdaq");
if ( !$conexion ) {
$conexion = mysqli_connect("192.168.0.12","root","password","dbdaq");
}
It seems likely your code for the failover connection works correctly, but you still get an obnoxious error message. The # operator suppresses the message.
I have the following scenario:
I have a script that conencts to a remote database, and all works good unless the remote database is offline or the server is offline.
If database/server goes offline, the script uses long time to execute, what would be the best way to check if db connection was successfull before executing the SQL?
class remote_db{
public $db;
public function __construct(){
$this->db = new mysqli("127.0.0.1","usr","pw","database");
$this->db->set_charset("utf8");
}
}
$remote_db = new remote_db();
if($remote_db){ echo 'hello world';}
I suppose I finally managed to get what you mean under "crashing".
It seems your code structure is spaghetti, where HTML is intermixed with database stuff, and so on error it shows an incomplete, torn out design.
To prevent this, you have to structure your PHP application properly.
First of all, never output a single byte if not all database operations are not finished. To do so, split your PHP page into two parts: one is for the database interaction, that will collect all the data required to display; and another part, consists of HTML mostly, that is used to display the data.
After doing that, you will be able to show a dedicated error page, if error occurs during database stage.
Keep in mind that catching every single possible error is mission either highly inefficient and at the same time impossible: you simply cannot foresee and handle every error that may happen.
Instead, just make a simple code that will show a generalized error page in case of any error. To do so, setup an error handler like this (the code is taken from my article The (im)proper use of try..catch):
set_error_handler("myErrorHandler");
function myErrorHandler($errno, $errstr, $errfile, $errline)
{
error_log("$errstr in $errfile:$errline");
header('HTTP/1.1 500 Internal Server Error', TRUE, 500);
echo "Server error. Please try again later");
exit;
}
There's no reason to check if it's online or not before running a query, since between the time you check, and the time you run the query, it might have gone offline. So simply run the query, and check for error afterwards, as you would normally do:
$r = $db->query('...');
if ($r === false) throw new Exception('error running query');
Also check for errors when you create the connection:
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'my_db');
if ($mysqli->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') '
. $mysqli->connect_error);
}
You can also change the timeout property to reduce the waiting time:
$db->options(MYSQLI_OPT_CONNECT_TIMEOUT, 5); // Wait for 5 seconds max
I have some code that allows a user to input details for their database on their server. After they submit the details, the code checks a connection to the database to see if valid details were entered. I want it to give outcomes of variables being true if the connection either works or does, like this:
$mysqli = new mysqli($_POST['dbHost'],$_POST['dbUser'],$_POST['dbPassword'],$_POST['dbName']);
if ($mysqli->connect_errno) { $badDetails = true; }
else { goodDetails = true; }
Problem is, if the details are indeed incorrect, it shows a PHP warning from the first line of the code above giving 'Unknown MySQL server host'.
What is the way around this? I don't want PHP throwing it's own visible error for this, I want to deal with the error myself.
You should not worry about visual errors. In a production environment, these should be turned off in the ini, and all errors should go to a log on the server instead of just to the screen.
This is configured with the display_errors setting and error_reporting()
Many frameworks override the PHP error handler with a custom implementation to display error in a pretty way, depending on their severity.
To achieve this, you can override the PHP error handler
As seen in the manual one can register custom handlers for regular errors and exceptions. And it is also possible to trigger an user defined error.
Just use a die()
$mysqli = new mysqli($_POST['dbHost'],$_POST['dbUser'],$_POST['dbPassword'],$_POST['dbName']) or die("Database Connection Failed");
A quick, dirty method would be error supression:
$con = #mysqli_connect( /* info */ );
Note that you should not keep this there, as this will suppress all errors, and mysqli can have multiple errors that you might need to know about.
Though I would check the host variable first, to see why the error is caused. You can also use die.
$con = mysqli_connect(/* info */) or die ("SQL Error!");
As far as where to look, try seeing that the host var is actually set and check it's value:
if (!isset($_POST['dbHost'])) {
echo "Host var not set!";
} else {
echo "Host var set: " . $_POST['dbHost']
}
try{
//PDO CONNECT DB, $db
}catch(PDOException $e){die("ERROR"));}
I have a query user PDO connect to database.
I use try & catch, my question is if my query is error
Do i need to close conncetion before die();?
}catch(PDOException $e){$db="NULL"; die("ERROR"));}
As a matter of fact, you shouldn't die() at all
Until you learn how to use try and catch properly, you shouldn't use this statement. It is not intended for echoing "ERROR". It has totally different purpose.
If you want to echo silly "ERROR" in case of an erroneous query, you have to do it properly.
Namely,
send appropriape HTTP header
log the error to notify a developer of the problem
show whatever error message to the client
have all this stuff done in one place, not repeated for every query
to do this, you have to set up an exception handler:
set_exception_handler('myExceptionHandler');
function myExceptionHandler($e)
{
header('HTTP/1.1 500 Internal Server Error', TRUE, 500);
error_log($e->getMessage().". Trace: ".$e->getTraceAsString());
echo "ERROR";
exit;
}
put this code in your bootstrap/config file and quit wrapping every query into try-catch.
No, it is not necessary in php. When your php process finished, the connection will be closed too.
How would I go about getting PDO statements to generate a safe error message? I don't want the user to see the error message. I want them to get directed to a page that says a clean message, "Whoops something unexpected happened!". I would also like to log the errors in a database to review and catch errors others are generating.
I'm using PHP and MySQL.
I found that when you make your connection you can set your error handling like this.
$dbh = new PDO($dsn, $user, $password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Anyone do anything like this before?
So this is just a suggestion as I have never tried this but after thinking about it a bit I think it would be an interesting option to explore. As I am fairly new to PHP & PDO I'm sure there are other and better ways.
Perhaps you could try using the try function of PHP and then instead of echo'ing (if failed) the PDOException you could run another function that prints it to a text file. Something like.
<?php
try {
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
foreach($dbh->query('SELECT * from FOO') as $row) {
print_r($row);
}
$dbh = null;
} catch (PDOException $e) {
$strFileName = 'whatever.txt';
if(!is_writable($strFileName))
die('Change permisions to ' . $strFileName);
$handle = fopen($strFileName, 'a+');
fwrite($handle, "\r" . $e->getMessage() . "\r");
fclose($handle);
}
?>
This way you would avoid a DB connection (which is the problem I guess) but still save the error.
You would perhaps want to omit the echo'd text after die within the if statement.
I think it is better to write your logs to a file, instead of a database. Especially since you want to log PDO errors, which indicate something is wrong with your database connection.
You can show the user a nice error page by catching your errors. You can redirect your users to your error page then, in case something went wrong.
You have to understand that PDO do not generate a "safe" or "unsafe" error message. It does generate an error message. That's all. The rest is is the responsibility of site-wide PHP settings.
PDO is not the only source of errors. Why care of PDO errors only? Why not to handle ALL errors the same way?
Want errors logged? It's a matter of one PHP ini setting.
Want errors not to be displayed? It's a matter of one PHP ini setting.
Want generic error page to be shown? It's a matter of simple function that will handle all errors at once.
Everything can be done proper and straight way, without wrapping every statement into try catch. Without writing into log manually. Without even single additional line of code.
You need to set up PHP error handling, not PDO.
And of course, it makes absolutely no sense in trying to store a database error in the same database that failed you right now. Errors have to go into error log on a live server and on screen - on a local development PC.
Anyone do anything like this before?
Sure. Every single one of 1000000s sites in the world. The way described above.