) Set_error_handler usage

Incorrect path Leakage
1. cause:
When PHP encounters an error, it will give the location, number of rows, and cause of the error script, for example:
Notice: Use of undefined constant test-assumed ''test'' in D: interpubbigflytest. php on line 3
Many people say that this is no big deal. However, the consequences of leaking the actual path are unimaginable. For some intruders, this information is very important. In fact, many servers have this problem.
Some network administrators simply set display_errors in the PHP configuration file to off, but I think this method is too negative. Sometimes, we do need PHP to return an error message for debugging. In addition, when an error occurs, you may need to give the user an explanation, or even navigate to another page.
2. Vulnerability Resolution:
PHP has provided the set_error_handler () function for customizing error handling handles since 4.1.0, but few script writers know it. In many PHP forums, I have seen only a small number of cases. Set_error_handler is used as follows:
String set_error_handler (callback error_handler [, int error_types])
Now we can use custom error handling to filter out the actual path.
// Identify admin as the administrator. True is the administrator.
// The custom error handler must have these four input variables $ errno, $ errstr, $ errfile, and $ errline. Otherwise, the error handler is invalid.

 1   Function My_error_handler ( $ Errno , $ Errstr , $ Errfile , $ Errline ){  2       //  Filter the actual path if it is not an administrator  3       If (! Admin ){  4           $ Errfile = Str_replace ( Getcwd (),"", $ Errfile  );  5           $ Errstr = Str_replace ( Getcwd (),"", $ Errstr  );  6   }  7       Switch ( $ Errno  ){  8           Case   E_error : 9               Echo "Error: [ID $ Errno ]$ Errstr (Line: $ Errline Of $ Errfile )/N" ;  10               Echo " Program The Operation has stopped. Contact the administrator. " ;  11               //  Exit the script when an error occurs.  12               Exit  ;  13               Break ;  14           Case   E_warning : 15               Echo "Warning: [ID $ Errno ] $ Errstr (Line: $ Errline Of $ Errfile )/N" ;  16               Break  ;  17          Default : 18               //  Notice-level error not displayed  19               Break  ;  20   }  21 }

// Set error handling to the my_error_handler Function
Set_error_handler ("my_error_handler ");
...
In this way, the conflict between security and debugging convenience can be well solved. In addition, you can also make some effort to make the error prompt more beautiful to match the website style. However, note the following two points:
(1) e_error, e_parse, e_core_error, e_core_warning, e_compile_error, and e_compile_warning will not be processed by this handle, that is, they will be displayed in the most primitive way. However, these errors are caused by compilation or PHP Kernel errors, which usually do not occur.
(2) When set_error_handler () is used, error_reporting () becomes invalid. That is, all the errors (except the preceding errors) will be handled by the custom function.
For other information about set_error_handler (), refer to the official PHP manual.

The following is an example of a practical application:

 1 <? PHP  2   //  Define a function first, or define it in other files, and call it with require ().  3   Function Myerrorhandler ( $ Errno ,$ Errstr , $ Errfile , $ Errline  ){  4       //  For the sake of security, the actual physical path is not exposed. The following two rows filter the actual path.  5       $ Errfile = Str_replace ( Getcwd (),"", $ Errfile  );  6       $ Errstr =Str_replace ( Getcwd (),"", $ Errstr  );  7   8       Switch ( $ Errno  ){  9           Case   E_user_error : 10               Echo "<B> my error </B> [ $ Errno ]$ Errstr <Br/> \ n" ;  11               Echo "Fatal error on line $ Errline In File $ Errfile " ;  12               Echo ", PHP ". Php_version ."(". Php_ OS . ") <Br/> \ n" ;  13               Echo "Aborting... <br/> \ n" ;  14               Exit (1 );  15               Break  ;  16           Case   E_user_warning : 17               Echo "<B> my warning </B> [ $ Errno ] $ Errstr <Br/> \ n" ; 18               Break  ;  19           Case   E_user_notice : 20               Echo "<B> my notice </B> [ $ Errno ] $ Errstr <Br/> \ n" ;  21               Break  ;  22           Default : 23               Echo "Unknown error type :[ $ Errno ] $ Errstr <Br/> \ n" ;  24               Break  ;  25   }  26       /*  Don't execute PHP internal error handler  */  27      Return   True  ;  28   }  29   30   //  Next, we start to connect to the MySQL server. We deliberately set the MySQL port to 3333, which is actually 3306.  31   $ Link_id = @ Mysql_pconnect ("Localhost: 3333", "root", "password" );  32   Set_error_handler (Myerrorhandler );  33   If (! $ Link_id  ){  34       Trigger_error ("Error ", E_user_error  );  35 }

 Restore_error_handler ()

Used to reset set_error_handler (), that is, to cancel the set_error_handler () registration method.