Now I'm back to using PHP, I realize one of this greatest annoyances that stopped me using it years ago.
Whenever it generates an error, it reveals to the user the ENTIRE PATH to gain access to your account.
This has got to be one of the STUPIDEST, DUMBEST oversigns of the century.
I need a GLOBAL FIX, which will ELIMINATE SHOWING THE PATH ON THE SERVER.
If I cannot get this, I cannot use PHP -- that was my conclusion years ago.
Anyone know how to STOP the PATH portion of the typical PHP error message --
"PHP error in **'my_root/my_account_name
Talk about DUMB, DUMB, DUMB -- stupider than dumb !!!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
I was hoping to block the PATH ONLY, not the error itself, since they help debug. Are you sure there is no way to substitute something for the path, or eliminate it? So to stop the path showing, I have to issue no die() statments, and I cannot even use something like a 404 redirect??? What an incredible oversight !!!
No, I just said that for production server you hide errors for obvious reasons. I didn't say that because there are some errors that cannot be predicted so you cannot know where to put or die()
For advanced error reporting see "Error Handling and Logging Functions" that way you have ability to do whatever you want with errors... http://www.php.net/manual/
Why would you debug on production server? You should test/debug your application on local server.
cheers
>>This has got to be one of the STUPIDEST, DUMBEST oversigns of the century.
Don't think so; this is somewhat important information for debugging purposes.
What if your application uses 50 other files?
If there's an error, I want to know exactly where it is. I wish errors gave even more detail. :)
To echo what gruntar said, common practice is to turn error reporting off on live environments and just log the errors.
Do you think php is the only web language that does this?
However if you really want to stop this, you can look at set_error_handler()-->http
There's a nice example on the page. Basically you create your own function that will handle errors that are encountered, but some errors can not be handled by it(i.e. parse errors); but many can.
Also, one of the parameters sent to your error handler is of course 'filename'. So instead of echoing the whole filename, you could use:
basename($errfile)
which will only show the file, and none of the path.
Thought it would be obvious here I was talking about final production running -- NOT the initial debuging stages. Two different worlds. Sint4x, so glad you see this too.
Evidently I wasnt' clear enough. I KNOW where my files are, I KNOW exactly what the path is -- I don't need this echoed back to me or advertised to the rest of the world -- THAT is what is dumb. I don't see anything in the two links to just turn off the path.
Perhaps someone would like to just provide a simple statement that turns off the path on ALL errors on a server. That is what I need. The PATH, not the errors.
>> I KNOW where my files are, I KNOW exactly what the path is -- I don't need this
Yes, you do an don't know. Here is example...
test.php
<?php
include('file1.php');
include('file2.php');
include('file3.php');
//some more code here
?>
if you run "test.php" you also run all included files. Now, let say that for some reasons some error occur in included file "file2.php".
Now, if PHP wouldn't reveal the file where error occur You would not have a clue in which file you have a bug. This is the reason why you get all that info PHP gives you. I hope it's a bit clearer now.
cheers
here is your error reporting that don't reveal server path..
test.php
<?php
//error_reporting(E_ALL);
error_reporting(0);
function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars)
{
$errortype = array (
E_ERROR => "Error",
E_WARNING => "Warning",
E_PARSE => "Parsing Error",
E_NOTICE => "Notice",
E_CORE_ERROR => "Core Error",
E_CORE_WARNING => "Core Warning",
E_COMPILE_ERROR => "Compile Error",
E_COMPILE_WARNING => "Compile Warning",
E_USER_ERROR => "User Error",
E_USER_WARNING => "User Warning",
E_USER_NOTICE => "User Notice",
E_STRICT => "Runtime Notice"
);
// set of errors for which a var trace will be saved
$user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE);
$err = '<br />';
$err .= ' <b>' . $errortype[$errno] . '</b>';
$err .= ' ' . $errmsg;
$err .= ' <b>' . basename($filename) . '</b>';
$err .= ' ' . $linenum;
// echo error without paths..
echo $err;
}
set_error_handler('userErr
echo $dsf
?>
few lines above I have "forgot" to add traling ; so error should like ...
Notice Undefined variable: dsf test.php 45
cheers
Thank you gruntar for all the explanations you have put in -- I DO understand why some PHP coders think you need to display the file path -- but I don't want that information to show at all -- once in production.
Perhaps someone would like to just provide a simple GLOBAL statement that turns off the path on ALL PHP errors on a server. That is what I need. The PATH turned off, not the errors.
If that is impossible, then I would settle for -- ALL errors supressed -- everything.
I cannot live with intermittent PHP and MySQL errors revealing the path to the account on the server.
Repeat, I cannot live with it -- once in production.
Thanks for a brief, working solution -- hopefully juat a 1-2-line statement.
OK, I put all your code in a file called errors.php uploaded it to the server,
Changed the file giving errors to add, at top -- <?php include("errors.php"); ?>
All the errors still show, and I am also getting this additional error --
" Notice Undefined variable: dsf errors.php 50 "
I put the ; after dsf, but notice, it is not defined above.
Also, since this is a function, do I have to call it in every single php action
if ... else die(errors.php) -- or something like that?
That would be too much hassle. I assumed it can replace the standard error handling.
Also, all the warnings on the page are showing the path as well....
you must put this code into that file
<?php
error_reporting(0);
function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars)
{
$errortype = array (
E_ERROR => "Error",
E_WARNING => "Warning",
E_PARSE => "Parsing Error",
E_NOTICE => "Notice",
E_CORE_ERROR => "Core Error",
E_CORE_WARNING => "Core Warning",
E_COMPILE_ERROR => "Compile Error",
E_COMPILE_WARNING => "Compile Warning",
E_USER_ERROR => "User Error",
E_USER_WARNING => "User Warning",
E_USER_NOTICE => "User Notice",
E_STRICT => "Runtime Notice"
);
// set of errors for which a var trace will be saved
$user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE);
$err = '<br />';
$err .= ' <b>' . $errortype[$errno] . '</b>';
$err .= ' ' . $errmsg;
$err .= ' <b>' . basename($filename) . '</b>';
$err .= ' ' . $linenum;
// echo error without paths..
echo $err;
}
set_error_handler('userErr
?>
gruntar --
I have put your new code into a file called -- errors.php -- in the <BODY> section.
In the top of filename.php I have put --
<?php
include("errors.php");
.......
?>
I am still getting tons of warnings and errors, like --
Warning session_start(): Cannot send session cookie - headers already sent by (output started at /home/path/public_html/fil
Warning session_start(): Cannot send session cache limiter - headers already sent (output started at /home/path/public_html/fil
Warning Cannot modify header information - headers already sent by (output started at /home/path/public_html/fil
Warning end(): Passed variable is not an array or object filename.php 55
Don't worry about the meanings of the errors -- I just want to eliminate them....
Obviously I am not doing something right
I did that, it made no difference.
As I said, your file declares a function -- where do I call this function?
I am not calling any function -- only: include "errors.php" -- in the other file.
Seems to me a function has to be called, unless this replaces PHP's global error reporting.
I am increasing points for all the effort you have put in, but it is still not working.
Something simple, no doubt.
yes gruntar, exactly as you have it. Since I am not a PHP expert, it is probably something real simple. I don't doubt the correctness of your code, I would suspect I am missing something that might be "obvious" to you...
In the other file, I tried --
include("errors.php");
with and without the brackets, made no difference. I even copied your latest code again, and re-upoaded that errors.php to the public_html directory. There is nothing in it but your code.
server stats --
Apache version 1.3.33 (Unix)
MySQL version 4.0.22-standard
PHP version 4.3.10
Sorry for the problem, but I really need to get these errors out of the way, so I can see what I am doing ....
errors.php is EXACTLY your code -- checked it 3 times
otherfile.php is as follows (simplified, to not clutter this question) --
<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META http-equiv="Content-Style-
<TITLE></TITLE>
</HEAD>
<BODY>
....some HTML tables here
<?php
include ("errors.php") ;
session_start();
header("Cache-control: private"); // IE 6 Fix.
if (!session_is_registered('d
// there is a whole bunch more code relating to displaying session information, none relevant to the errors
//because the errors relate to the above code, but they are typical PHP errors (see above). Example code --
echo "<DIV id='" . $key . "'>Description: ". $_SESSION['divs'][$key]['t
?>
.... more HTML tables here
</BODY>
</HTML>
Code should go like this.
Headers must be sent before any output...
<?php
include ("errors.php") ;
session_start();
header("Cache-control: private"); // IE 6 Fix.
if (!session_is_registered('d
?><HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META http-equiv="Content-Style-
<TITLE></TITLE>
</HEAD>
<BODY>
If you have problems TRY simple test files first and then add more code to it...
now, i'm off to bed.. its 1:38 here
There's a simpler approach to this. Either set display_errors = off in your php.ini, or say this at the start of each script:
ini_set('display_errors', 0);
It's important to not turn error_reporting off as it will stop you seeing real errors in your log files, but turning their display off will stop making them public. Of course, errors like these should not happening anyway, so you should be more careful with your error checking to stop them occurring in the first place - but I'm sure you know that!
Thank you squinky, that simple statement is what I was looking for all along !!!
I was using error reporting(0) to stop them, so I could move ahead with debugging, and I will change that to your suggestion.
Since yours is the right answer -- but gruntar put in so much effort with his code (that I still could not get to work) -- If it is OK with you both, I will split points evenly.
Thanks again squinky -- check my other posts, could use your help.
Business Accounts
Answer for Membership
by: gruntarPosted on 2005-03-26 at 23:35:34ID: 13638613
You cannot hide only path. When you publish your page add line below to a file that is included at the beggining of all other files.
error_reporting(0);
that will block all kinds of errors except the ones you call with die()...
cheers