Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Published byDale Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions."— Presentation transcript:

1 PHP Error Handling & Reporting

2 Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions to be displayed to the public. Any error messages viewable by the public should be customised (confidential information stripped out) and made to look more user-friendly Information returned by mysql_error() and mysql_errno() functions may expose vulnerabilities of the server, providing a means of attacking it. In a production environment, scripts should be written to display a user friendly custom error message not revealing information about the PHP scripting engine or the MySQL database. A script can be included to write the error code and error message to a log file in a secure area (not in the public accessible folders)

3 Default error messages In this example an attempt is made to divide by 0 (impossible), and an error message appears when the script is parsed The error message exposes the location of the file in the server’s directory structure to visitors or potentially any hackers.

4 set_error_handler() function A customised error function creates a less intrusive error message and hides confidential information from potential hackers. The set_error_handler function is used to customise how error reporting occurs Screen output:

5 Error Reporting Level Setting the error reporting level to 0 switches error reporting off. In this example, dividing 3 by 0 is impossible and would normally throw an error. In this case the error reporting level is set to 0 so the error is not exposed The calculation does not take place.

6 What to do with error information? Save the error to a database or to a local text file Redirect the user to another page Provide a user-friendly customised error message to avoid putting people off the website Store the date/time of the error Write a script to email errors to the web master Best Practices? Always avoid errors being displayed in the live environment (public) If errors occur in the script when run, make sure the errors are logged somewhere secure. Best practice is to avoid errors occurring in the first place

7 Form Validation Validate user input – this reduces the risk of being hacked. PHP scripts used to validate user input are server –side and more secure than JavaScript form validation scripts JavaScript can be turned off in the browser by the user, rendering JavaScript ineffective.

8 htmlspecialchars() The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms ">

9 File uploads To prevent the user uploading a file such as an executable or a file that could be a security risk, add an IF statement to validate user input. For example, restrict the user to uploading only GIF or JPG files. To use or, use the || characters.

10 Error Control Operator @ Place in front of the variable name to tell server to ignor error if it occurs. E.g. if user user has not inputted their name on a form, the variable $name will not exist, so the @ symbol ignors this.

11 .htaccess Use.htaccess to restrict folder access Username: alansebrill Password:journey Encrypted algorithm: alansebrill:$apr1$9.m5dEw/$CkD0Nwueiiv0JpmYbXlTr0

Download ppt "PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Multiple Tiers in Action

Multiple Tiers in Action
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh E-mail.

Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh .
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Lecture Note 3: ASP Syntax.  ASP Syntax  ASP Syntax ASP Code is Browser-Independent. You cannot view the ASP source code by selecting View source

Lecture Note 3: ASP Syntax.  ASP Syntax  ASP Syntax ASP Code is Browser-Independent. You cannot view the ASP source code by selecting "View source"
WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.

WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.
CSC 2720 Building Web Applications

CSC 2720 Building Web Applications
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
SIMPLE ROUTER The slide made by Salim Malakouti. Next we will create the Router  What do I we mean by a router?  Routers work similar to a map. It receives.

SIMPLE ROUTER The slide made by Salim Malakouti. Next we will create the Router  What do I we mean by a router?  Routers work similar to a map. It receives.

Similar presentations

Ads by Google