信息太多,PHP 出错?
当 MySQLi 不可用时,我正在为 mysql_ 函数制作一个自定义包装器,当它无法连接时,它会抛出异常。然而,致命错误输出是这样的:
致命错误:未捕获异常“异常”,消息为“失败” 连接到数据库。位于 C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs\MiniTicket\database.php:16
堆栈跟踪:
#0C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs\MiniTicket\database.php(49):MySQL->__construct('localhost', 'miniticket', 'mtu:r!Nj@~qR6f9...')
#1C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs\MiniTicket\index.php(3):require_once('C:\Program File...')
#2 {main} 抛出到 C:\Program 中 文件 (x86)\Apache 软件 Foundation\Apache2.2\htdocs\MiniTicket\database.php 线上 16
正如你所看到的,我的数据库密码清晰地显示给大家看到。不好。我不想关闭这些消息,尤其是在开发过程中,但我也不希望显示敏感信息。使用 set_error_handler 也不是一个很好的解决方案,因为我必须解析所有内容,这很容易出错。
那么...有没有一种简单的方法可以禁用错误消息中函数中参数的显示,最好是通过 PHP 而不是在某些配置文件中?
编辑:禁用除文件名之外的文件路径也是一个好处。
I'm making a custom wrapper for the mysql_ functions when MySQLi, e.g. isn't available, and when it can't connect, it throws an exception. However, the fatal error output is this:
Fatal error: Uncaught exception 'Exception' with message 'Failed to
connect to database.' inC:\Program Files (x86)\Apache Software:16
Foundation\Apache2.2\htdocs\MiniTicket\database.phpStack trace:
#0
C:\Program Files (x86)\Apache Software(49):
Foundation\Apache2.2\htdocs\MiniTicket\database.phpMySQL->__construct('localhost', 'miniticket', 'mtu:r!Nj@~qR6f9...')
#1C:\Program Files (x86)\Apache Software(3):
Foundation\Apache2.2\htdocs\MiniTicket\index.phprequire_once('C:\Program File...')
#2 {main} thrown in C:\Program
Files (x86)\Apache Software
Foundation\Apache2.2\htdocs\MiniTicket\database.php on line 16
As you can see, my database password is clearly displayed for everyone to see. Not good. I don't want to turn these messages off, especially in development, but I don't want sensitive information displayed either. Using set_error_handler is also not a great solution, because I have to parse everything, and that's prone to error.
So... is there an easy way to disable the display of the parameters in a function inside an error message, preferably through PHP and not in some configuration file?
Edit: Disabling the filepath except for the filename would be a bonus, too.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您应该将生产和开发之间的错误处理分开,其中开发显示错误信息,生产显示友好的错误消息,但不输出 PHP 所做的任何内容。将输出记录到文件中。
You should separate your error handling between production and development where development displays the error information and production shows a friendly error message but does not output anything PHP does. Log the output to file instead.
编辑 php.ini 并设置
如果您无权访问 php.ini,则需要在脚本顶部添加:
请参阅 http://php.net/manual/en/errorfunc.configuration.php 和 http://php.net/manual/en/function.error-reporting.php
这将阻止所有错误输出到浏览器,并且可能应该只在您的生产系统上完成。确保您仍在记录错误(通过 php.ini 设置)。
我不确定为什么这不是默认配置,以便在生产环境中不会发生这种情况。
不过,不要将此视为软件问题的解决方案,这只是为了阻止敏感数据向公众显示。
请注意,您可能需要重新启动 Apache 才能使 php.ini 更改生效。
Edit your php.ini and set
If you don't have access to php.ini then at the top of your script(s) you need to add:
See http://php.net/manual/en/errorfunc.configuration.php and http://php.net/manual/en/function.error-reporting.php
This will stop all errors from being outputted to the browser, and should probably only be done on your production system. Make sure you are still logging errors (via php.ini setting).
I'm not sure why this isn't the default configuration so that this situation doesn't happen in production environments.
Don't treat this as a solution to your software problem though, this is just meant to stop sensitive data from being displayed to the public.
Note that you may need to restart Apache for the php.ini changes to take effect.