PHP notifications and warnings
I have looked far and wide but could not find anything related to this particular situation, I am a backend developer and always write (something similar):
if (!defined("something")) define("something", true);
instead
define("something"; true);
The second snippet will trigger a notification if the file is included more than once. A similar situation with array indices:
$data = array();
echo $data["does not exist"];
triggers a notification, so my preferred way is:
$data = array();
if (isset($data["does not exist"]) echo $data["does not exist"];
else echo "Missing info";
PHP has the ability to suppress these messages, but I keep them enabled because I consider these checks to be good practice, but I am lacking evidence that they are needed and recently a colleague argued that there is no effect in coding without checks.
Are you aware of any security values ββwhen writing checks? or am I possibly paranoid and disabling notifications is acceptable?
PS: Not sure if this question is more appropriate for StackOverflow, but feel free to let me know and I'll try to move it.
source to share
Avoiding notifications is good practice.
You should probably learn a little about defensive programming and follow the Right Path .
Hiding errors and notifications during development can cause serious problems in the future. Typically, notifications tell you about bad programming style or subtle bugs, resulting in complex bugs, unreachable code, and security vulnerabilities.
Good code never generates notifications and errors, as it keeps track of when they might occur.
source to share
Turning off notifications during development is not allowed because it indicates problems with your code. Ideally, your code should work with the E_ALL and E_STRICT error message levels and not report any errors. The exact data depends on the PHP version, the documentation can be found here .
I don't think either option is more or less secure than the other, unless there is another security issue it can mask in some way. I think any form is bad practice.
When a site is in production, it is only important to log errors and disable ini.display_errors . Reducing error reporting in production can be useful if you cannot handle code that produces large numbers of specific errors, but that code should be fixed.
I really think the code should avoid generating notifications, it might be a "lesser" problem, but it's still a problem to be taken care of during development.
The correct way to avoid these errors is to simply avoid including files more than once. (See include_once () or require_once () ) If you are using a framework it probably includes the processing method it includes for you. Consult the relevant documentation and make sure you use their implementation to include the files.
source to share
There are many ways to handle errors and exceptions in the system. I've worked with a lot of frameworks and find that they don't rely on the display_errors and ini_config flags.
PHP has the ability to handle errors and exceptions thrown by code using set_exception_handler and set_error_handler . Therefore, if you want to hide errors, you can turn off display_errors, but you must put above two functions to log errors.
Defensive programming is very useful if you want to sit back and relax after loading work on the production side.
source to share