Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

display_errors

Test Description

This test checks to see if display_errors is enabled.

Security Implications

The display_errors directive determines whether error messages should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to untrusted sources.

display_errors is on by default.

Recommendations

Unless you are in a closed development state, display_errors should be disabled, and all error messages should be passed to system log files using the log_errors directive.

You can disable display_errors in the php.ini file:

; Disable display_errors for security reasons
display_errors = 'off'
log_errors = 'on'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on

More Information

PHP.net manual: Error Handling and Logging Functions

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot