?
Solved

Stop PHP errors revealing path

Posted on 2005-03-26
27
Medium Priority
?
434 Views
Last Modified: 2012-06-27
Now I'm back to using PHP, I realize one of this greatest annoyances that stopped me using it years ago.

Whenever it generates an error, it reveals to the user the ENTIRE PATH to gain access to your account.

This has got to be one of the STUPIDEST, DUMBEST oversigns of the century.

I need a GLOBAL FIX, which will ELIMINATE SHOWING THE PATH ON THE SERVER.

If I cannot get this, I cannot use PHP -- that was my conclusion years ago.

Anyone know how to STOP the PATH portion of the typical PHP error message --

"PHP error in **'my_root/my_account_name/here_hackers/come_hack_my_server/steal_my_account'**"

Talk about DUMB, DUMB, DUMB -- stupider than dumb !!!
0
Comment
Question by:sciwriter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 11
  • 2
  • +2
27 Comments
 
LVL 9

Expert Comment

by:gruntar
ID: 13638613
You cannot hide only path. When you publish your page add line below to a file that is included at the beggining of all other files.

error_reporting(0);

that will block all kinds of errors except the ones you call with die()...

cheers
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13638624
I was hoping to block the PATH ONLY, not the error itself, since they help debug.  Are you sure there is no way to substitute something for the path, or eliminate it?  So to stop the path showing, I have to issue no die() statments, and I cannot even use something like a 404 redirect???  What an incredible oversight !!!
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13638671
No, I just said that for production server you hide errors for obvious reasons. I didn't say that because there are some errors that cannot be predicted so you cannot know where to put or die()

For advanced error reporting see "Error Handling and Logging Functions" that way you have ability to do whatever you want with errors... http://www.php.net/manual/en/ref.errorfunc.php 

Why would you debug on production server? You should test/debug your application on local server.

cheers
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:matt_mcswain
ID: 13638764
>>This has got to be one of the STUPIDEST, DUMBEST oversigns of the century.

Don't think so; this is somewhat important information for debugging purposes.
What if your application uses 50 other files?
If there's an error, I want to know exactly where it is. I wish errors gave even more detail. :)
To echo what gruntar said, common practice is to turn error reporting off on live environments and just log the errors.
Do you think php is the only web language that does this?

However if you really want to stop this, you can look at set_error_handler()-->http://us2.php.net/set_error_handler
There's a nice example on the page. Basically you create your own function that will handle errors that are encountered, but some errors can not be handled by it(i.e. parse errors); but many can.
Also, one of the parameters sent to your error handler is of course 'filename'. So instead of echoing the whole filename, you could use:

basename($errfile)

which will only show the file, and none of the path.
0
 
LVL 4

Expert Comment

by:sint4x
ID: 13639894
>> If there's an error, I want to know exactly where it is. I wish errors gave even more detail. :)

IMO hiding directories are important, security reasons.
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640165
Thought it would be obvious here I was talking about final production running -- NOT the initial debuging stages.  Two different worlds.  Sint4x, so glad you see this too.

Evidently I wasnt' clear enough.  I KNOW where my files are, I KNOW exactly what the path is -- I don't need this echoed back to me or advertised to the rest of the world -- THAT is what is dumb.  I don't see anything in the two links to just turn off the path.  

Perhaps someone would like to just provide a simple statement that turns off the path on ALL errors on a server.  That is what I need.  The PATH, not the errors.  
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640304
>>  I KNOW where my files are, I KNOW exactly what the path is -- I don't need this

Yes, you do an don't know. Here is example...

test.php

<?php
include('file1.php');
include('file2.php');
include('file3.php');

//some more code here
?>

if you run "test.php" you also run all included files. Now, let say that for some reasons some error occur in included file "file2.php".

Now, if PHP wouldn't reveal the file where error occur You would not have a clue in which file you have a bug. This is the reason why you get all that info PHP gives you. I hope it's a bit clearer now.

cheers
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640373
here is your error reporting that don't reveal server path..

test.php
<?php

//error_reporting(E_ALL);
error_reporting(0);


function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars)
{

   $errortype = array (
               E_ERROR          => "Error",
               E_WARNING        => "Warning",
               E_PARSE          => "Parsing Error",
               E_NOTICE          => "Notice",
               E_CORE_ERROR      => "Core Error",
               E_CORE_WARNING    => "Core Warning",
               E_COMPILE_ERROR  => "Compile Error",
               E_COMPILE_WARNING => "Compile Warning",
               E_USER_ERROR      => "User Error",
               E_USER_WARNING    => "User Warning",
               E_USER_NOTICE    => "User Notice",
               E_STRICT          => "Runtime Notice"
               );
   // set of errors for which a var trace will be saved
   $user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE);
   
   $err = '<br />';
   $err .= ' <b>' . $errortype[$errno] . '</b>';
   $err .= ' ' . $errmsg;
   $err .= ' <b>' . basename($filename) . '</b>';
   $err .= ' ' . $linenum;

   
   // echo error without paths..
    echo $err;

}

set_error_handler('userErrorHandler');



echo $dsf

?>

few lines above I have "forgot" to add traling ; so error should like ...

Notice Undefined variable: dsf test.php 45

cheers
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640374
Thank you gruntar for all the explanations you have put in -- I DO understand why some PHP coders think you need to display the file path -- but I don't want that information to show at all -- once in production.

Perhaps someone would like to just provide a simple GLOBAL statement that turns off the path on ALL PHP errors on a server.  That is what I need.  The PATH turned off, not the errors.

If that is impossible, then I would settle for -- ALL errors supressed -- everything.
I cannot live with intermittent PHP and MySQL errors revealing the path to the account on the server.  
Repeat, I cannot live with it -- once in production.  

Thanks for a brief, working solution  -- hopefully juat a 1-2-line statement.
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640382
Sorry gruntar -- I posted before I saw your code  -- Thank you for that code....

Does this code go in each page, or can I put it somewhere more "globally"?

An include, or can I specify it in something like the htaccess?  
0
 
LVL 11

Expert Comment

by:matt_mcswain
ID: 13640393
>>IMO hiding directories are important, security reasons.
I'm not disagreeing. I'm just saying turn them off and log them on live servers.
Yes, I suppose, it would be nice it there was an error flag that would prevent the path from being displayed.
I guess they think we have enough options.
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640395
You can put it in a file that gets included in every file. this code should be first one to execute.

cheers
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640525
OK, I  put all your code in a file called errors.php  uploaded it to the server,
Changed the file giving errors to add, at top --     <?php include("errors.php"); ?>
All the errors still show, and I am also getting this additional error --

" Notice Undefined variable: dsf errors.php 50 " 

I put the ; after dsf, but notice, it is not defined above.
Also, since this is a function, do I have to call it in every single php action
if ... else die(errors.php)  -- or something like that?

That would be too much hassle.  I assumed it can replace the standard error handling.
Also, all the warnings on the page are showing the path as well....
0
 
LVL 4

Expert Comment

by:sint4x
ID: 13640642
gruntar you saved my life!

I always was looking for a way to debug my production server errors!! Now I have complete control over them :)

THank you.
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640651
Then please fill me in on getting this working -- as it is not working for errors for me, or for warnings.  Please see my post above...
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640688
you must put this code into that file


<?php

error_reporting(0);


function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars)
{

   $errortype = array (
               E_ERROR          => "Error",
               E_WARNING        => "Warning",
               E_PARSE          => "Parsing Error",
               E_NOTICE          => "Notice",
               E_CORE_ERROR      => "Core Error",
               E_CORE_WARNING    => "Core Warning",
               E_COMPILE_ERROR  => "Compile Error",
               E_COMPILE_WARNING => "Compile Warning",
               E_USER_ERROR      => "User Error",
               E_USER_WARNING    => "User Warning",
               E_USER_NOTICE    => "User Notice",
               E_STRICT          => "Runtime Notice"
               );
   // set of errors for which a var trace will be saved
   $user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE);
   
   $err = '<br />';
   $err .= ' <b>' . $errortype[$errno] . '</b>';
   $err .= ' ' . $errmsg;
   $err .= ' <b>' . basename($filename) . '</b>';
   $err .= ' ' . $linenum;

   
   // echo error without paths..
    echo $err;

}

set_error_handler('userErrorHandler');

?>

0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640690
No problem sint4x, glad I could help :)
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640731
gruntar --

I have put your new code into a file called -- errors.php -- in the <BODY> section.

In the top of filename.php  I have put --
<?php
include("errors.php");
.......
?>

I am still getting tons of warnings and errors, like --

Warning session_start(): Cannot send session cookie - headers already sent by (output started at /home/path/public_html/filename.php:7) filename.php 44
Warning session_start(): Cannot send session cache limiter - headers already sent (output started at /home/path/public_html/filename.php:7) filename.php 44
Warning Cannot modify header information - headers already sent by (output started at /home/path/public_html/filename:7) filename.php 45
Warning end(): Passed variable is not an array or object filename.php 55

Don't worry about the meanings of the errors -- I just want to eliminate them....
Obviously I am not doing something right
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640766
What BODY?!

Put only PHP code that I have posted in last post NOTHING else!!!

cheers
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640784
I did that, it made no difference.

As I said, your file declares a function -- where do I call this function?
I am not calling any function -- only:    include "errors.php"   -- in the other file.

Seems to me a function has to be called, unless this replaces PHP's global error reporting.

I am increasing points for all the effort you have put in, but it is still not working.
Something simple, no doubt.
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640813
Well, yes you DON'T call that function, PHP does.

set_error_handler('userErrorHandler');
this line tells PHP to use your function to show errors.

Have you copyed whole code?
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640846
yes gruntar, exactly as you have it.  Since I am not a PHP expert, it is probably something real simple.  I don't doubt the correctness of your code, I would suspect I am missing something that might be "obvious" to you...

In the other file, I tried --

include("errors.php");

with and without the brackets, made no difference.  I even copied your latest code again, and re-upoaded that errors.php to the public_html directory.  There is nothing in it but your code.

server stats --

Apache version  1.3.33 (Unix)        
MySQL version      4.0.22-standard      
PHP version      4.3.10

Sorry for the problem, but I really need to get these errors out of the way, so I can see what I am doing ....
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13640856
Based on info you have posted seems OK. I can tell you more only if you paste the code...

0
 
LVL 23

Author Comment

by:sciwriter
ID: 13640889
errors.php is EXACTLY your code -- checked it 3 times

otherfile.php is as follows (simplified, to not clutter this question) --

<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META http-equiv="Content-Style-Type" content="text/css">
<TITLE></TITLE>
</HEAD>
<BODY>
....some HTML tables here

<?php

include ("errors.php") ;

session_start();
header("Cache-control: private");                                     // IE 6 Fix.
if (!session_is_registered('divs')) { session_register('divs'); }

// there is a whole bunch more code relating to displaying session information, none relevant to the errors
//because the errors relate to the above code, but they are typical PHP errors (see above). Example code --
  echo "<DIV id='" . $key . "'>Description: ". $_SESSION['divs'][$key]['title'] . "</DIV>";

?>

.... more HTML tables here

</BODY>
</HTML>
0
 
LVL 9

Assisted Solution

by:gruntar
gruntar earned 500 total points
ID: 13640912
Code should go like this.
Headers must be sent before any output...


<?php

include ("errors.php") ;

session_start();
header("Cache-control: private");                               // IE 6 Fix.
if (!session_is_registered('divs')) { session_register('divs'); }

?><HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META http-equiv="Content-Style-Type" content="text/css">
<TITLE></TITLE>
</HEAD>
<BODY>


If you have problems TRY simple test files first and then add more code to it...
now, i'm off to bed.. its 1:38 here
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 500 total points
ID: 13650770
There's a simpler approach to this. Either set display_errors = off in your php.ini, or say this at the start of each script:

ini_set('display_errors', 0);

It's important to not turn error_reporting off as it will stop you seeing real errors in your log files, but turning their display off will stop making them public. Of course, errors like these should not happening anyway, so you should be more careful with your error checking to stop them occurring in the first place - but I'm sure you know that!
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13655145
Thank you squinky, that simple statement is what I was looking for all along !!!

I was using error reporting(0) to stop them, so I could move ahead with debugging, and I will change that to your suggestion.

Since yours is the right answer -- but gruntar put in so much effort with his code (that I still could not get to work) -- If it is OK with you both, I will split points evenly.

Thanks again squinky -- check my other posts, could use your help.
0

Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question