Best way to suppress php errors on production servers - php

What is the best method of hiding php errors from being displayed on the browser?
Would it be to use the following:
ini_set("display_errors", 1);
Any best practice tips would be appreciated as well!
I am logging the errors, I just want to make sure that setting the display_errors value to off (or 0) will not prevent errors from being logged.

The best way is to log your errors instead of displaying or ignoring them.
This example will log the errors to syslog instead of displaying them in the browser.
ini_set("display_errors", 0);
ini_set("log_errors", 1);
//Define where do you want the log to go, syslog or a file of your liking with
ini_set("error_log", "syslog"); // or ini_set("error_log", "/path/to/syslog/file");

Assuming you are in control of the php.ini file, you can make these changes globally inside that file instead of having the ini_set code laying around in all your php files (which you might forget to put in one of your files one day, which could be bad in production).

You can also use apache .htaccess to log errors without touching your code:
<IfModule mod_php5.c>
php_flag display_errors Off
php_flag log_errors On
php_value error_log logs/errors
</IfModule>

set an environment variable on your development machine. then you can check your environment in the beginning of your code to make sure you are on the development environment.
then you can set the error reporting level of PHP, by using the error_reporting() function.
if ( isset($_ENV['MY_APP_MODE']) && ($_ENV['MY_APP_MODE'] == 'devel') ) {
error_reporting(E_ALL);
} else {
error_reporting(0);
}

The accepted answer did not work at all for me on PHP 7.1.
This works as expected on production, logging errors to the supplied file and not displaying them to the user:
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');
ini_set("error_log", "/absolute/path/to/my/error_log");

The PHP distribution files unfortunately sends a mixed message about handling error messages. The default php.ini file has some settings suitable for production servers and others better for development servers. You should turn all errors on in dev (error_reporting = E_ALL and display_errors = On), and off in prod (display_errors = off but point log_errors somewhere). However, do your best to make sure there are no errors (or they're handled).

The best way? Fix the errors!
If you need a quick temporary solution then it's OK to turn display_errors off, but make sure you're logging them somewhere, because that setting will make serious/parse errors silent otherwise.

Related

Can't change display_errors value

I can't turn off display errors for my website. I use ISP Manager control panel. It is Off in all php.ini files and settings. But still warnings and notices are showing. Even using ini_set() right in the script doesn't work. Can you help me with this?
<?php
ini_set('display_errors', 0);
phpinfo(); // display_errors is still On On
ini_get('display_errors'); // returns 'stderr'
If I understood correctly, something like:
var_dump(ini_set('display_errors', 0));
… produces:
bool(false)
I can think of two ways to intentionally prevent display_errors from being changed:
Disabling ini_set() altogether in system-wide INI file, which produces different symptoms:
Warning: ini_set() has been disabled for security reasons
NULL
This can be checked anyway:
var_dump(ini_get('disable_functions'));
Hard-coding display_errors in Apache settings using php_admin_flag, which only applies if PHP runs as Apache module but effectively produces a boolean false.
I believe we're in #2. You may want to check whether PHP runs as Apache module; I'm not aware though of any way to verify by yourself if php_admin_flag is being used. If that's the case, I reckon you're out of luck:
php_admin_flag name on|off
Used to set a boolean configuration directive. This can not be used in
.htaccess files. Any directive type set with php_admin_flag can
not be overridden by .htaccess or ini_set().
If you're in control of Apache settings this is something you can easily fix. Otherwise, I suggest you ask hosting support about this. IMHO, it isn't reasonable to enable display_errors in a production server, let alone force it:
; This directive controls whether or not and where PHP will output errors,
; notices and warnings too. Error output is very useful during development, but
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; For production environments, we recommend logging errors rather than
; sending them to STDOUT.
; Possible Values:
; Off = Do not display any errors
; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
; On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
; http://php.net/display-errors
Overview
There are a few different types of error reporting function in PHP. Luckily we have a decent explanation of these in the PHP docs here.
I typically use the three in the examples below. Let's walk through those.
Breakdown Docs
This function sets the error reporting level.
error_reporting()
The error_reporting() function sets the error_reporting directive at
runtime. PHP has many levels of errors, using this function sets that
level for the duration (runtime) of your script. If the optional level
is not set, error_reporting() will just return the current error
reporting level.
This first function takes a parameter of an integer or a named constant. The named constant is recommended in case future version of PHP release new error levels. That way you will always know what to expect after upgrading to a newer version of PHP.
This next mode decides if errors will be printed to the screen or not.
ini_set('display_errors', 1)
This determines whether errors should be printed to the screen as part
of the output or if they should be hidden from the user.
The last one handles errors that happen during PHP's startup sequence. When you turn display_errors on it does not handle errors that occur in the startup sequence. This is partially the reason why a lot of times people do not understand why they are not seeing errors even though they have turned error reporting on.
Even when display_errors is on, errors that occur during PHP's startup
sequence are not displayed. It's strongly recommended to keep
display_startup_errors off, except for debugging.
This will tell the app to log errors to the server.
ini_set('log_errors', 1);
Tells whether script error messages should be logged to the server's
error log or error_log. This option is thus server-specific.
Example
To turn off error reporting in a file try this,
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);
To turn on error reporting in a file try this,
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
Answer
If you want to log errors but do not want them to show up on the screen then you would need to do this,
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(E_ALL);
Or try,
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
ini_set("log_errors", 1);
error_reporting(E_ALL);

What's the purpose of ini_set() in php? (especially for error reporting)

Ok so PHP has the function ini_set() which a lot of people are aware of and will use to set various configuration options (here) to help with development etc. However, this function does only seem to work at runtime and will not work if there are any fatal errors or the script has syntax errors and can't be parsed / compiled.
Therefore surely there is no point of doing this (from the manual):
http://php.net/manual/en/function.ini-set.php
Examples
Example #1 Setting an ini option
<?php
echo ini_get('display_errors');
if (!ini_get('display_errors')) {
ini_set('display_errors', '1');
}
echo ini_get('display_errors');
?>
I don't know if I'm just missing something and my php.ini isn't configured correctly, but a lot of the time I get no errors. For beginners / juniors there will no doubt be a lot of syntax errors (missing semi-colons, closing brackets etc), and said juniors would search for how to turn on errors, assume the above manual entry is correct, yet when re-running their script, alas, they get no errors as the script cannot be parsed / compiled in the first place.
I know you can set display_errors = On in the php.ini file and restart your web server to show all errors to the screen (using this in a development environment, definitely not live), but wouldn't it be better just to remove the function and only configure the php.ini file for different error levels?
Update:
I know ini_set isn't just for displaying errors, but code can't be very manageable if you're calling ini_set in certain scripts / functions / files and wouldn't it make more sense to use the php.ini for something like that?
Update
So the ini file can be used to set global configuration options, surely you'd use this for security or optimisation, however developers could still use ini_set to override some of these options at runtime which may not be desirable
In summary (#Hanky웃Panky):
Why do I have the option of displaying errors when some trivial syntax errors will still not display?
yes, you are right that its better just to remove the function and only configure the php.ini file for different error levels.
But, this is good only that case when you have only one project in your machine, So, its all configuration setting you can do in php.ini
Consider, the case if you have multiple project setup. if you don't want some settings in that project still it will get from php.ini
So, it is suggested for some configuration settings you just set them at project level with ini_set() and will not reflect other projects.
string ini_set ( string $varname , string $newvalue );
The Purpose of ini_set is to set the value of the given configuration option.
This newvalue is kept by the configuration option during the script execution and restored at the scripts ending.
Example for setting an ini option
<?php
echo ini_get('display_errors');
if (!ini_get('display_errors')) {
ini_set('display_errors', '1');
}
echo ini_get('display_errors');
?>
string ini_set ( string $varname , string $newvalue )
Basically ini_set() sets the value of the given configuration option. The configuration option will keep this new value during the script's execution, and will be restored at the script's ending.
for all the variables which you can configure during the script run. please go through the below link.
Another settings can be configured at runtime using the the ini_set() function:
memory_limit and max_execution_time
(From ZCE test part about PHP Basics).
ini_set — Sets the value of a configuration option. Sets the value of the given configuration option. The configuration option will keep this new value during the script's execution, and will be restored at the script's ending, without ini_set(), values from php.ini file will be used.
EDIT:
You may find this helpful:
// Turn off all error reporting
error_reporting(0);
// Report simple running errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);
// Reporting E_NOTICE can be good too (to report uninitialized
// variables or catch variable name misspellings ...)
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
// Report all errors except E_NOTICE
error_reporting(E_ALL & ~E_NOTICE);
// Report all PHP errors (see changelog)
error_reporting(E_ALL);
// Report all PHP errors
error_reporting(-1);
// Same as error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);

I can't disable PHP errors

So what's going on is I tried
ini_set('display_errors', 'Off');
error_reporting(0);
Right below <?php, but this didn't seem to stop displaying them. So I went to the php.ini and went to display_errors and saw that it was set to Off. But it still showed.
So I went and did phpinfo() and display_errors along with display_startup_errors are both off. Also html_errors is off. I'm not sure if this will help, but it says error_reporting is set to -10241. Any ideas?
Do not change the value of error reporting to solve the issue. If display_errors is off, errors are not display independently of the error_reporting setting. This way you will not display errors but you can still log them.
The following should work:
ini_set('display_errors', 'Off');
If it doesn't work it could be that your server configuration does not allow you to change settings from PHP scripts. ini_set() returns FALSE on failure. So first of all you should check what value that call is returning. Make sure that ini_set is not listed among disabled PHP functions (disable_functions in php.ini).
If you are asking yourself why errors are still being displayed even if in php.ini the display_errors is Off, you can check the actual value of display_errors during the script execution:
ini_get('display_errors')
Pemember that PHP settings could be changed also in Apache host configuration and in .htaccess files. So check if you have an htacces that enables display_errors. Something like this:
php_flag display_errors on
Try to use:
ini_set('display_errors', 0);
ini_set('display_errors', false);
You don't describe what the errors are, so it's possible that your web server (Apache, nginx, etc) are what's throwing the error and not PHP.
If it is PHP, ensure that you're editing the correct php.ini as identified in your phpinfo.php. Remember that if you edit the php.ini, you will need to restart your PHP process (for example, on some *nix systems: service php-fpm restart. Your exact command may vary.)
If it's off in your php.ini, my guess is that it's being overridden somewhere else -- either later in the script ('grep "ini_set" /path/to/project/*.php' will find it). Also, the PHP Manual states that if the script has fatal errors, it doesn't apply if there are fatal errors:
Although display_errors may be set at runtime (with ini_set()), it
won't have any effect if the script has fatal errors. This is because
the desired runtime action does not get executed.

PHP errors make page inaccessible

Every time I have an error within my code and try to run it, the page becomes inaccessible. This is clearly very frustrating as it's hard debugging code with no feedback.
Relevant information from cPanel:
Apache version 2.2.22
PHP version 5.3.14
MySQL version 5.1.68-cll
Architecture x86_64
Operating system linux
If more information is required then please ask, I'm sorry I cannot provide any more information but frankly I am stumped.
Thanks.
Enable error reporting to see what error PHP had, if it had one.
There are several places you can look, firstly try checking your Apache error log. In many cases this is located in /var/log/apache2/error.log . Another way to debug a page like this is to enable error logging.
The simplest way of doing this being adding these lines to your php file:
ini_set('display_errors',1);
error_reporting(E_ALL);
In addition to this, you can also clean up the errors formatting by adding:
ini_set('html_errors', 'On');
In addition to this method of enabling error reporting, you may also enable them from you configuration file by adding the following line:
error_reporting = E_ALL
You need to update your php.ini to display errors. There are a couple settings.
Search your php.ini for display_errors and error_reporting. The file is usually commented very well on the options for error reporting, but error_reporting = E_ALL is a typical setting. Sometimes people want to suppress notices and set error_reporting to E_ALL & ~E_NOTICE.
display_errors = On is the config to print the errors to the screen.
After changing your php.ini, Apache usually needs to be restarted. I'm not sure how much control you have over your server, so if you can't restart Apache but you have a php.ini available, your host probably has it configured so you don't need to restart.

On the fly error reporting in PHP

When our site used to be on IIS hosting with PHP installed, I had error reporting set to E_NONE and was able to turn it on temporarily by using:
ini_set('display_errors', 1);
That command seems to no longer work now that we are on Linux/Apache hosting. I have tried purposely sending bad commands to the server and I get no errors reported.
What am I doing wrong? Is there any other way to temporarily turn on error reporting without having to edit the php.ini each time?
You can change error reporting to E_ALL using the following line:
error_reporting(E_ALL);
Try adding that to the file.
The best way to turn on all errors is:
error_reporting( -1 );
This is better than E_ALL, as E_ALL doesn't actually mean all errors in all versions of PHP (it only does in the most recent). -1 is the only way to ensure it's on in all cases.
I just had to do this in one of my scripts. DOMDocument warnings were killing my logs. So, here's what you do:
// First, grab a copy of the current error_reporting level
// while setting the new level, I set it to zero because I wanted
// it off - but you could easily turn it on here
$erlevel = error_reporting(0);
// Then, do stuff that generates errors/warnings
// Finally, set the reporting level to it's previous value
error_reporting($erlevel);

Categories