PHP errors enabled

Server Config
1

I have been using WebsiteDefender on one of my sites, after it was hacked. I recently moved the site to another (shared) hosting company, and WebsiteDefender gave me the following report:

The display_error PHP configuration directive is enabled. This means that untrusted sources can see detailed web application environment error messages which might include sensitive information which can be used to craft further attacks.

You can disable display_errors from php.ini or .htaccess.

php.ini
display_errors = ‘off’
log_errors = ‘on’

.htaccess
php_flag display_errors off
php_flag log_errors on

I added the lines above to my .htaccess file, but that caused a server 500 error when I tried to view the site. :frowning:

Any help would be appreciated.

2

Did you add all the lines to your .htaccess file?

The instructions stated loading the additional files either in the php.ini file or the .htaccess file.

Try adding just these two lines in your .htaccess file, this should prevent the server 500 errors. Once the site is running OK again then remove the # remark one at at time and see if the site runs OK with no server errors.



# php_flag display_errors off
# php_flag log_errors on
3

Yes, I understood the instructions and I added only the .htaccess code to my .htaccess file.

No. Either line individually causes server 500 errors.

4

You should also be able to this by adding this in PHP:


ini_set('display_errors', false);

The .htaccess stuff probably doesn’t work because PHP is not run as an Apache module (but rather through some sort of CGI) so Apache doesn’t recognise it.

5

Thanks, @ScallioXTX. At the risk of revealing how little I understand of this, may I ask how I add that in PHP? Do I need to include it in each of my pages and each of my includes? (The site is basically static pages and is only using PHP for includes like header, footer and navigation.)

6

You should indeed include that in each and every page. Or, if all pages include the header, you can also put it in the header so it’s automatically used in all pages. Doesn’t matter which option you pick, except the second one is easier :slight_smile:

7

Brilliant, thank you. I’ve put it in the header and everything’s still working. :cool:

8

I would not be happy to have the site running and hiding errors.

Can you supply a link to the site and the .htaccess file - this may help in tracking the error source.

9

Why not? I would be very happy to have the side hide any internal information from normal visitors, as long as it’s logged somewhere.

10

I should have included your statement as long as it’s logged somewhere.

11

Thank you, but (AFAIK) there aren’t any errors - it was just an alert warning that any error messages would be displayed publicly. I don’t know a great deal about PHP, but I do know enough to know that’s a Bad Idea. :slight_smile:

However, I’ve now started wondering - how can I tell whether my other PHP sites have the same problem? I wouldn’t have known about this one, had WebsiteDefender not alerted me. Should I just add @ScallioXTX’s code on all my PHP pages as a precaution?

12

It surely can’t hurt :slight_smile:

13

In that case, I’ll just go ahead and do it. (I’m always terrified of breaking something. :lol: )

14

When you are feeling brave try this:

// your header.php



   ini_set('display_errors', FALSE );

   error_reporting( E_ALL );

   $tmp = getcwd() . "/php_error_" .date('y-m-d__h-i-s' ) ) .".log"
   ini_set('error_log', $tmp) ;

Points to note:

  1. the user will not see any PHP errors
  2. PHP errors will be generated in the background
  3. any PHP errors will create and/or append to a daily error log file
  4. error log file will be named: “php_error_yy-mm-dd__hh-mm-ss.log”
  5. the log file will be in the same directory as your header.php (or the file that includes ‘header.php’ )

Discuss :slight_smile: