I would like to assign Error Codes to my Error Messages to help with debugging, since two different sources could cause the same/similar Error Type.
Is it insecure to display an Error Code to the User?
For example…
// Missing Salt.
case 'PASSWORD_MISSING_SALT':
echo '<h1>Password Change Failed</h1>';
echo '<p>A Fatal Error occurred. Please contact the System Administrator. [COLOR="#FF0000"][B](5589)[/B][/COLOR]</p>';
break;
And, yeah, I could take them out when I go live, but if they don’t give away to much info to hackers, then I’d assume leave them in.
But what do you think?
Debbie
wwb_99
February 9, 2012, 11:15pm
2
The question you need to ask yourself here [and for everyone of these random security questions] is “how could this be used to compromise the system?”
In this case, you probably aren’t doing anything with the error numbers at all so I doubt it would hurt. There are some cases where exposing error details can hurt – such as that padding oracle attack that was in the wild over the summer – but that probably won’t get to this level.
wwb_99:
The question you need to ask yourself here [and for everyone of these random security questions] is “how could this be used to compromise the system?”
In this case, you probably aren’t doing anything with the error numbers at all so I doubt it would hurt. There are some cases where exposing error details can hurt – such as that padding oracle attack that was in the wild over the summer – but that probably won’t get to this level.
Well, my Error-Messages are tailored to Users (and not Developers).
Adding a code would just make it easier to Debug and down the road if a User did have an issue, they could report…
"I am getting this ‘A Fatal Error occurred. Please contact the System Administrator. (5589)’ error message.
Debbie