1.2.367. Don’t Echo Error¶
It is recommended to avoid displaying error messages directly to the browser.
PHP’s uses the display_errors
directive to control display of errors to the browser. This must be kept to off
when in production.
Error messages should be logged, but not displayed.
<?php
// Inside a 'or' test
mysql_connect('localhost', $user, $pass) or die(mysql_error());
// Inside a if test
$result = pg_query( $db, $query );
if( !$result )
{
echo Erreur SQL: . pg_error();
exit;
}
// Changing PHP configuration
ini_set('display_errors', 1);
// This is also a security error : 'false' means actually true.
ini_set('display_errors', 'false');
?>
See also Error reporting and List of php.ini directives.
1.2.367.1. Suggestions¶
Remove any echo, print, printf() call built with error messages from an exception, or external source.
1.2.367.2. Specs¶
Short name |
Security/DontEchoError |
Rulesets |
|
Exakat since |
0.8.7 |
PHP Version |
All |
Severity |
Critical |
Time To Fix |
Instant (5 mins) |
Precision |
High |
Examples |
|
Available in |