In the last instalment of our PHP Security series, taken from chapter 5 from our PHP Security training course by Doug Bierer, we’ll focus on how you can protect your PHP-based website against one specific vulnerability: unplanned information disclosure.
To start off, Doug talks about a php.ini setting: display_errors. This setting should be on for development and off for production. In order to address notices and warning, make sure you initialize all variables before you use them. Another possibility is to use the if statement, or the ternary operator, to check and see if values are set before attempting to use them. You can also use set_error_handler and develop your own error handling process.
Another way to protect against unplanned information disclosure is to make sure your errors are logged, which is especially important in a production environment, so that you have some way of finding out exactly which errors occur. It’s important to set the error reporting to the highest possible level. One technique to do this is simply to use the -1 setting, which sets all error flags on.
When using object-orienting programming, you have the option of being able to trap exceptions rather than trying to handle errors. For this purpose, you would use the PHP exception class or a custom exception class. You could use try and catch blocks to try and trap exceptions. In a development environment you should use the set the error mode to exception or warning. In a production environment, it’s best to use the silent mode. The silent mode will not report the error, whereas exception mode will generate the error. In order to make this effective you need to wrap the code inside the try block, and the catch block would specify what’s going to happen if an exception is thrown. You can have as many exception blocks as you want.
Check out the videos below to see Doug run through examples of ways to protect against unplanned information disclosure. To learn more about PHP Security, check out the entire course on our website.