• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Log your PHP errors instead of displaying it to the users!

Znote

Znote

<?php echo $title; ?>
Staff member
Global Moderator
Premium User
Joined
Feb 14, 2008
Messages
7,030
Solutions
256
Reaction score
2,117
Location
Norway
GitHub
Znote
I post this thread, because it is useful, and it is very basic php, so no credits belongs to it.

Here is the idea:
Users (you, everybody who enters the site and surf around) might encounter php errors, however, you might want to keep your errors to yourself for security reasons.

So I found a handy php script, every time a error message occurs, it does NOT get displayed on the website, instead, it gets logged inside a text document. In some cases, the person who surf won't notice any thing at all.

The new PHP which many use, PHP 5.3~ tend to be more sensitive, so recently many errors have occur which really ain't such a big deal.

It is VERY easy to use, locate your Index.php or root php document, and paste this:
PHP: 
<?php

    ini_set('error_reporting', E_ALL | E_STRICT);
    ini_set('display_errors', 'Off');
    ini_set('log_errors', 'On');
    ini_set('error_log', 'error.txt');

?>

At the top of index.php.

OR:
stian said:
PHP: 
<?php
ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_errors', 'on');
ini_set('error_log', 'error.txt');
if(filesize('error.txt') > 10485760)
    ini_set('log_errors', 'off');
?>

This is a safe version. Allowing only 10MB log.
Click to expand...




Here is an example of how it may look:
2796-phpexample.png


Then create a file named error.txt in same dir as index.php and you're good to go. :)
 
Last edited:
Language in general has never been my thing. But I hope I am not among the worst ones.

I hope I'm not among the worst.
 
In my opinion you should fix all your errors so the users won't see them anyway.

EDIT: Also that example will send the header (older PHP atleast).

After "<?php" add:
ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');
ini_set('error_log', 'error.txt');
Click to expand...

(no extra <?php or ?>)
 
Yes, but this won't stop that. This might actually help you more than whatnot.

You might not find all the errors, however when a random visitor finds it for you, it will be logged in the error.txt document.
So you can fix it. So its like they are tracking errors to you, without them even knowing or noticing that they are participating in stabilizing your code.
:thumbup:

If you add it to your Otservlist website, just make sure to check the text document once in a while, and look for new errors.:thumbup:

edit to your edit: Thanks, I will quote you in main post. Anyway, both ways works. But my PHP experience is very low, but I assume your version use a bit less resource than mine. (Would anyone notice the difference?) :p

edit2: Was sky reading, missed this:
stian said:
Also that example will send the header (older PHP atleast).
Click to expand...

PHP 5.3 which decently new versions of XAMPP+ uses I have no problems using my example. So I guess it is for older versions.
 
Last edited:
Yes, it was fixed once (don't remember). If you remember forgetting that you had a newline in the beginning of the file and got strange errors (I do). Also, it cost around 0.001ms to open and close a php tag. Not much time, but it's unneeded. Thats a wasted microsecond.

EDIT: Your method CAN also be used as a attack. Specially on VPSs you can find the page with most errors (download gesior and try yourself), then request that page ALOT. Sorta of a two in one attack way (since the webserver write access log, and you can also configurate dump of php errors to error.log)
 
Last edited:
stian said:
Yes, it was fixed once (don't remember). If you remember forgetting that you had a newline in the beginning of the file and got strange errors (I do). Also, it cost around 0.001ms to open and close a php tag. Not much time, but it's unneeded. Thats a wasted microsecond.

EDIT: Your method CAN also be used as a attack. Specially on VPSs you can find the page with most errors (download gesior and try yourself), then request that page ALOT. Sorta of a two in one attack way (since the webserver write access log, and you can also configurate dump of php errors to error.log)
Click to expand...

Your tell us to not use this? At least if you use gesiors?
 
No, i'm merr telling that writing stuff to file CAN be used to flood your harddisk until you run of space and everything will fuck up. The same goes for the webservers access.log file. If your sure you don't have any known errors you don't run a risk tho.
 
Make sure you name your error.log something unique then, like blabla.loltk (file extension doesn't matter, at least on linux)

That way, it won't be that easy for them to notice that the website is using that system?
(Unless someone are using a PHP script sniffer, I suppose that exists as well).

Also, you can keep the log "writable" during relevant time, etc if you turn it on while observing it once in a while, and close it.

When you don't want it to log the files because of possible abuse, then just do
PHP: 
    ini_set('error_reporting', E_ALL | E_STRICT);
    ini_set('display_errors', 'Off');
    ini_set('log_errors', 'off');
    ini_set('error_log', 'error.txt');
 
PHP: 
<?php
ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_errors', 'on');
ini_set('error_log', 'error.txt');
if(filesize('error.txt') > 10485760)
    ini_set('log_errors', 'off');
?>

This is a safe version. Allowing only 10MB log.
 
Bump to show this useful tip to more users.
 
It means I find a error on your site, then make millions request on it until the log file nolonger fits on your machine. Then you run out of space, and mostly everything crashes.
 
stian said:
It means I find a error on your site, then make millions request on it until the log file nolonger fits on your machine. Then you run out of space, and mostly everything crashes.
Click to expand...
Not only would it take you an unrealistic amount of time to make those "millions of requests", you would need to do a lot more than that to fill any modern server's hard disk.
 
No. You can make millions of request every second if the server is capable of handling it, Given that each request fills. Still it's effective to take away CPU and memory resources also. And if the server can't handle the request flow, it's another type of attack.

Well, my point was to takes resources.
 
By the way, in Modern AAC this function exists, and can be changed to various types in config.php
 
Also, it's build into php a logging system, that system also support an option to NOT log multiple errors. I will suggest people to just use that option instead :p
 
Back
Top