Link to home
Start Free TrialLog in
Avatar of jesuisperdu
jesuisperdu

asked on

Stop printing debug information

my site is semi-operational atm and i had a little problem, a mysql command failed to execute and it printed out the debug information which contained my ftp host name as well as my login name
which is rather unwelcome, how do i stop this?
ASKER CERTIFIED SOLUTION
Avatar of virmaior
virmaior
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jesuisperdu
jesuisperdu

ASKER

where exactly do i put the error_reporting(0)?
you would put it at the beginning of your page
but I'm guessing there are things more fundamentally wrong with your app. if you are getting these errors.
SOLUTION
Avatar of Marcus Bointon
Marcus Bointon
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Best to fix the problem, and not the symptom. When in doubt, ...

Squink - you think he could md5 the username as well as the password? SHA-1 would be best, but... All you need to do is verify the username, right?  Would that be more secure than this instance, where giving away the UN is undesirable?
It does seem strange that a MySQL error is displaying FTP data - or is it just that it's displaying a query that happens to contain the user name? It would help if you could post the actual error you're seeing.

I think it would at least partly depend on your FTP server (pure-ftpd is great) - it doesn't help that FTP tends to be insecure anyway. Hashing IDs and passwords might help, but I think it's better to fix the cause and stop it being displayed in the first place by preventing the SQL error. So, suppress the display of the error (with display_errors and @) and trap it properly in code, which will, as you suggest, also fix the cause rather than the symptom, something like:

ini_set('display_errors', 0);
if ($res = @mysql_query("SELECT * FROM table WHERE id = $id")) {
  //Do stuff with valid data
} else {
  die('Bad query: '.mysql_error()); //don't really do this, log it or send the admin an email or something instead!
}

For demonstration purposes, I've made a deliberate error in the above script - notice that $id is not single-quoted in the SQL, meaning that if $id is undefined or empty, then the SQL will be invalid and generate an error message. It's that kind of thing that you should program defensively against.
>For demonstration purposes, I've made a deliberate error in the above script - notice that $id is not single-quoted in the SQL, meaning that if $id is undefined or empty, then the SQL will be invalid and generate an error message. It's that kind of thing that you should program defensively against.

Note this only applies if $id is non-numeric. Numeric values can have quotes omitted. IDs are standardly numbers, whereas GUIDs are alphanums.

Yes, but even if $id is meant to be numeric, if it happens to be undefined at the time the query is built, you'll still end up with an invalid SQL query. It's never unsafe to quote values; the reverse is not always true.
Squinky - my guess is that our question asker just *thinks* it's displaying his ftp server data.  It's probably showing  the IP of the server and that's what has him thinking it's FTP.
Could well be - he's not being very forthcoming with feedback... An error message is worth a thousand words?? ;^)
or if you silence them all, zero.
maybe censor sensitive information on the error msg?
well, you suppress them when you deploy -- but never when you develop.  On my server, it checks to see if it's me and if so then it shows all errors; otherwise it doesn't.
I use this:

/**
* Display a debug message that's only visible to certain IP addresses
*
* @param mixed $msg A string to display as is, any other type will be var_dump()ed
*/
function debugmsg($msg) {
      $allowed = array('1.2.3.4', '5.6.7.8', '7.8.9.10');
      if (array_key_exists('REMOTE_ADDR', $_SERVER) and in_array($_SERVER['REMOTE_ADDR'], $allowed)) {
            if (is_string($msg))
                  echo $msg."\n";
            else
                  var_dump($msg);
      }
}

I have the feeling we're just twiddling our thumbs until jesuisperdu gets back to us...
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: virmaior {http:#13807153} & squinky {http:#13808012}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Huji
EE Cleanup Volunteer