In which a system administrator is an idiot

Ξ March 10th, 2008 | → | ∇ code |

I recently did some freelance work for a friend of mine. It was extremely basic, just adding some includes so he didn’t have to manage a hundred different navigations for each page he had made. Well, I did it fast and I skipped some basic checking in my script. My code would work unless you had the error logging turned up all the way, which is fairly excessive. The other way it would fail is if you had display_errors set, which is the default PHP configuration. No one with any ounce of experience or common sense would let display_errors be set for a production server. This gives out sensitive information about the environment of the server. Here is what the PHP Security Consortium has to say about display_errors:

“The display_errors directive determines whether error messages should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to untrusted sources.

Unless you are in a closed development state, display_errors should be disabled, and all error messages should be passed to system log files using the log_errors directive.”

So I fixed my code to be able to run in a very strict error checking environment, to such a point that it’s excessive. It checks to see if a variable exists immediately after I’ve set it. This is sort of my passive aggressive way of telling the syadmin who had a problem with my code to take a long walk off a short beach. The icing on my cake is that I check at the very beginning of the first include to see if display_errors is on. If it’s on and isn’t set to log errors to a file, I disable it. Then I check to see if the supeglobal $_SERVER is set. I’m not even sure if it’s possible to NOT have it set. But just for good measure, if by some miracle it isn’t set, and I can’t figure out the name of the script that’s running, I exit which causes a white screen to display.

// Note: You’re strongly advised to use error logging in place of error displaying on production web sites.
if(ini_get(’display_errors’) && ini_get(’display_errors’) == ‘1′) error_reporting(0);
if(!isset($_SERVER) && !isset($_SERVER[’SCRIPT_FILENAME’])) exit;

He also calls this production server, “the dedicated box” even though it runs many virtual hosted sites.

Original post by Maker


Leave a reply

  • Rumours and Lies