• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Stop printing debug information

my site is semi-operational atm and i had a little problem, a mysql command failed to execute and it printed out the debug information which contained my ftp host name as well as my login name
which is rather unwelcome, how do i stop this?
0
jesuisperdu
Asked:
jesuisperdu
  • 5
  • 5
  • 3
  • +2
2 Solutions
 
virmaiorCommented:
error_reporting(0) will stop the error from showing up...
but more importantly, don't write code that produces the error.

0
 
jesuisperduAuthor Commented:
where exactly do i put the error_reporting(0)?
0
 
virmaiorCommented:
you would put it at the beginning of your page
but I'm guessing there are things more fundamentally wrong with your app. if you are getting these errors.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Marcus BointonCommented:
error-reporting(0) is not a good idea as it will also prevent the logging of errors, making your site much harder to debug. Better to use ini-set('display_errors', 0), which will keep logging errors according to the error_reporting level (I recommend E_ALL), but just not display them in the browser. Again, stick it atthe start of your page. Alternatively you can set it globally in your php.ini, then re-enable it in pages that you're working on that are not yet live.
0
 
PromethylCommented:
Best to fix the problem, and not the symptom. When in doubt, ...

Squink - you think he could md5 the username as well as the password? SHA-1 would be best, but... All you need to do is verify the username, right?  Would that be more secure than this instance, where giving away the UN is undesirable?
0
 
Marcus BointonCommented:
It does seem strange that a MySQL error is displaying FTP data - or is it just that it's displaying a query that happens to contain the user name? It would help if you could post the actual error you're seeing.

I think it would at least partly depend on your FTP server (pure-ftpd is great) - it doesn't help that FTP tends to be insecure anyway. Hashing IDs and passwords might help, but I think it's better to fix the cause and stop it being displayed in the first place by preventing the SQL error. So, suppress the display of the error (with display_errors and @) and trap it properly in code, which will, as you suggest, also fix the cause rather than the symptom, something like:

ini_set('display_errors', 0);
if ($res = @mysql_query("SELECT * FROM table WHERE id = $id")) {
  //Do stuff with valid data
} else {
  die('Bad query: '.mysql_error()); //don't really do this, log it or send the admin an email or something instead!
}

For demonstration purposes, I've made a deliberate error in the above script - notice that $id is not single-quoted in the SQL, meaning that if $id is undefined or empty, then the SQL will be invalid and generate an error message. It's that kind of thing that you should program defensively against.
0
 
PromethylCommented:
>For demonstration purposes, I've made a deliberate error in the above script - notice that $id is not single-quoted in the SQL, meaning that if $id is undefined or empty, then the SQL will be invalid and generate an error message. It's that kind of thing that you should program defensively against.

Note this only applies if $id is non-numeric. Numeric values can have quotes omitted. IDs are standardly numbers, whereas GUIDs are alphanums.

0
 
Marcus BointonCommented:
Yes, but even if $id is meant to be numeric, if it happens to be undefined at the time the query is built, you'll still end up with an invalid SQL query. It's never unsafe to quote values; the reverse is not always true.
0
 
virmaiorCommented:
Squinky - my guess is that our question asker just *thinks* it's displaying his ftp server data.  It's probably showing  the IP of the server and that's what has him thinking it's FTP.
0
 
Marcus BointonCommented:
Could well be - he's not being very forthcoming with feedback... An error message is worth a thousand words?? ;^)
0
 
virmaiorCommented:
or if you silence them all, zero.
0
 
PromethylCommented:
maybe censor sensitive information on the error msg?
0
 
virmaiorCommented:
well, you suppress them when you deploy -- but never when you develop.  On my server, it checks to see if it's me and if so then it shows all errors; otherwise it doesn't.
0
 
Marcus BointonCommented:
I use this:

/**
* Display a debug message that's only visible to certain IP addresses
*
* @param mixed $msg A string to display as is, any other type will be var_dump()ed
*/
function debugmsg($msg) {
      $allowed = array('1.2.3.4', '5.6.7.8', '7.8.9.10');
      if (array_key_exists('REMOTE_ADDR', $_SERVER) and in_array($_SERVER['REMOTE_ADDR'], $allowed)) {
            if (is_string($msg))
                  echo $msg."\n";
            else
                  var_dump($msg);
      }
}

I have the feeling we're just twiddling our thumbs until jesuisperdu gets back to us...
0
 
hujiCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: virmaior {http:#13807153} & squinky {http:#13808012}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Huji
EE Cleanup Volunteer
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now