Php error report

PHP Security error reports are a double-edged sword for PHP Security. On the one hand, it can improve security and on the other hand, it is harmful.

The common method used to attack the system is to input incorrect data and view the error message type and context. This helps attackers collect server information to find vulnerabilities. For example, if an attacker knows the form information on a page, he will try to modify the variable:

Example #1 use custom HTML page attack variables

Generally, the error prompt returned by PHP can help the developer debug the program. it will indicate which functions or code of the file has an error and the number of lines in the file where the error occurs, these are the information that PHP can provide. Many PHP developers use the show_source (), highlight_string (), or highlight_file () functions to debug the code. However, on the official website, this method may expose hidden variables, unchecked syntaxes, and other information that may compromise system security. It is dangerous to run some programs with internal debugging processing, or use general debugging technology. If attackers determine which specific debugging technology the program uses, they will try to send variables to enable the debugging function:

Example #2 use variables to enable the mode function

Regardless of the error handling mechanism, the ability to detect system errors will provide more information to attackers.

For example, the unique error prompt style of PHP indicates that the system is running PHP. If attackers are looking for. html is a page. if you want to know the background technology (in order to find system vulnerabilities), they will submit the wrong data, and then they will know that the system is based on PHP.

A function error may expose the database being used by the system, or provide attackers with useful information about webpages, programs, or designs. Attackers often find open database ports and some bugs or vulnerabilities on the pages. For example, attackers can make program errors with some abnormal data to detect the authentication sequence in the script (the row number indicated by the error message) and other information that may be leaked in the script.

A file system or PHP error exposes the permissions of the web server and the organizational structure of the file on the server. The error code written by the developer will aggravate this problem and cause the original hidden information to be leaked.

There are three common solutions to these problems. The first is to thoroughly check all functions and try to make up for most errors. The second is to completely disable error reports for online systems. The third is to use the PHP custom error handling function to create its own error handling mechanism. Based on different security policies, all three methods may apply.

One way to prevent this problem in advance is to use error_reporting () to help make the code safer and find the danger of using variables. Open the E_ALL test code before releasing the program, so that you can quickly find out where the variable is used improperly. Once you prepare for official release, set error_reporting () to 0 to close the error report completely or set php. set display_errors in ini to off to disable all error display to isolate code from detection. Of course, if you want to do this later, do not forget to open the log_errors option in the ini file, and specify the file used to record error information through error_log.

Example #3 use E_ALL to find dangerous variables