PHP Security: Protecting Against Unplanned Information Disclosure


In the last instalment of our PHP Security series, taken from chapter 5 from our PHP Security training course by Doug Bierer, we’ll focus on how you can protect your PHP-based website against one specific vulnerability: unplanned information disclosure. 

To start off, Doug talks about a php.ini setting: display_errors. This setting should be on for development and off for production. In order to address notices and warning, make sure you initialize all variables before you use them. Another possibility is to use the if statement, or the ternary operator, to check and see if values are set before attempting to use them. You can also use set_error_handler and develop your own error handling process.

Another way to protect against unplanned information disclosure is to make sure your errors are logged, which is especially important in a production environment, so that you have some way of finding out exactly which errors occur. It’s important to set the error reporting to the highest possible level. One technique to do this is simply to use the -1 setting, which sets all error flags on.


Custom generated error messages that came from custom error handler

When using object-orienting programming, you have the option of being able to trap exceptions rather than trying to handle errors. For this purpose, you would use the PHP exception class or a custom exception class. You could use try and catch blocks to try and trap exceptions. In a development environment you should use the set the error mode to exception or warning. In a production environment, it’s best to use the silent mode. The silent mode will not report the error, whereas exception mode will generate the error. In order to make this effective you need to wrap the code inside the try block, and the catch block would specify what’s going to happen if an exception is thrown. You can have as many exception blocks as you want.

Finally, Doug says that it’s important to improve code efficiency, explaining that more efficient code will generate less error. Therefore, it is to your advantage to generate code that is as error free and efficient as possible. Aside from using the command shell, you have the option to use PHP_CodeSniffer, which is open source that tokenizes PHP and detects violations of a defined set of coding standards (also works on JavaScript and CSS). This is a free package and can be downloaded and unzipped or you can use Pear install PHP_CodeSniffer. Once you’ve installed this, you can run the command from the command shell.


Use the PHP_CodeSniffer


Check out the videos below to see Doug run through examples of ways to protect against unplanned information disclosure. To learn more about PHP Security, check out the entire course on our website.



Save $50 when you sign up for an annual Learning Library account Learn More