1.2.367. Don’t Echo Error

It is recommended to avoid displaying error messages directly to the browser.

PHP’s uses the display_errors directive to control display of errors to the browser. This must be kept to off when in production. Error messages should be logged, but not displayed.

<?php

// Inside a 'or' test
mysql_connect('localhost', $user, $pass) or die(mysql_error());

// Inside a if test
$result = pg_query( $db, $query );
if( !$result )
{
     echo Erreur SQL: . pg_error();
     exit;
}

// Changing PHP configuration
ini_set('display_errors', 1);
// This is also a security error : 'false' means actually true.
ini_set('display_errors', 'false');

?>

See also Error reporting and List of php.ini directives.

1.2.367.1. Suggestions

  • Remove any echo, print, printf() call built with error messages from an exception, or external source.

1.2.367.2. Specs

Short name

Security/DontEchoError

Rulesets

All, Analyze, CE, CI-checks, Changed Behavior, Security

Exakat since

0.8.7

PHP Version

All

Severity

Critical

Time To Fix

Instant (5 mins)

Precision

High

Examples

ChurchCRM, Phpdocumentor

Available in

Entreprise Edition, Community Edition, Exakat Cloud