For PHP security, error Reporting is a double-edged sword. On the one hand can improve security, on the other hand harmful.
The most common way to attack a system is to enter incorrect data, and then look at the type and context of the error message. Doing so helps attackers gather information about the server to find weaknesses. For example, if an attacker knows the form information on which a page is based, he will attempt to modify the variable:
Example #1 using custom HTML page attack variables
<form method= "POST" action= "Attacktarget?username=badfoo&password=badfoo" > <input type= " Hidden "name=" username "value=" Badfoo "/> <input type=" hidden "name=" password "value=" Badfoo "/></ Form>
Usually the error message returned by PHP can help the developer debug the program, it will ask which of the file's functions or code error, and indicate that the error occurred in the first line of the file, these are the information that PHP itself can give. Many PHP developers use the Show_source (), highlight_string (), or highlight_file () functions to debug the code, but in a formally running Web site, this practice may expose hidden variables, Unchecked syntax and other information that could compromise the security of the system. It is dangerous to run some programs with internal debug processing, or to use generic debugging techniques. If an attacker determines which specific debugging technique the program uses, they will attempt to send a variable to turn on the debug feature:
Example #2 use variable to open the Mode function
<form method= "POST" action= "attacktarget?errors=y&showerrors=1&debug=1" > <input Type = "hidden" name= "errors" value= "Y"/> <input type= "hidden" name= "ShowErrors" value= "1"/> <input Type= "hidden" name= "Debug" value= "1"/></form>
Regardless of the error handling mechanism, the ability to detect system errors can provide more information to the attacker.
For example, PHP's unique bug-tip style can indicate that the system is running PHP. If an attacker is looking for a. HTML for the page, and wants to know the technology behind it (in order to find the weaknesses of the system), they will submit the wrong data, and then have the knowledge that the system is based on PHP.
A function error may expose the database being used by the system, or provide an attacker with useful information about a Web page, program, or design. Attackers tend to find open database ports, as well as some bugs or weaknesses on the page. For example, an attacker could make a program error by using some unhealthy data to detect the order of authentication in the script (by the number of line numbers for the wrong hint) and the information that might be disclosed elsewhere in the script.
A file system or PHP error exposes what permissions the Web server has, as well as the organization of the file on the server. The developer's own error code can exacerbate this problem, resulting in leaking information that was otherwise hidden.
There are three common ways to deal with these problems. The first is to thoroughly check all functions and try to compensate for most errors. The second is a complete shutdown of the error report on the online system. The third is to create your own error-handling mechanism using PHP's custom error handling functions. Depending on the security policy, three methods may apply.
One way to prevent this problem in advance is to use error_reporting () to help make the code more secure and to discover the dangers of variable use. Before releasing the program, open the E_all test code to help you quickly find where the variable is used incorrectly. Once you are ready for a formal release, you should set the error_reporting () parameter to zero to completely close the error report or set the display_errors in php.ini to off to close all error displays to isolate the code from the probe. Of course, if you want to do this later, don't forget to open the log_errors option in the INI file and specify the file to log the error message through Error_log.
Example #3 use E_all to find dangerous variables.
<?php if ($username) {//not initialized or checked before usage $good _login = 1; } if ($good _login = = 1) {//If above test fails, not initialized or checked before usage readfile ("/highly/sensitive/d Ata/index.html "); }? >