Better PHP Applications

Posted by Codehead on August 18, 2008 at 10:06 pm · Under PHP, Web Development

Developing better applications requires practice and study but there are little things you can do while you develop your applications that will help.

One of the things I think is very important and all great PHP developers do this is developing your application with error_reporting(E_ALL);

You have to simply place these lines on top of your PHP source files: (or put it on top of your common include file, hopefully you have one)

ini_set('display_errors', 1); /* Output all errors as oppose to logging them */
error_reporting(E_ALL);     /* Show all errors */

What this does is that it will ask PHP to show you all the errors (almost, later on this) such as warnings and notices. (It is most likely that PHP is already set to show you parser and fatal errors.)

Warnings are very important to address, they are run time errors but the compiler doesn’t halt the execution of the script.
Notices are most likely logical errors (in my experience). If you develop with error_reporting set to E_ALL you will see that PHP was telling you where the problems that took you 5 hours to find were all along.

Here is how to produce a notice and how it can help you with some problems.

Suppose you have this self submitting form:

<?php
error_reporting(0);
 
if (isset ($_POST['name'])) :
 
?>
 <form action="" method="post">
 Enter your name: 
 <input type="text" name="name" /><br />
 <input type="submit" />
 </form>
<?php
 
else: /* This is the alternate PHP syntax */
 
    echo 'Hello and welcome ' .htmlentities($_POST['name1'], ENT_QUOTES);
 
endif; /* This syntax will make your templates more readable */
?>

This won’t work, you might have spotted the issue but if you didn’t, you will see that this doesn’t work.
What it does is it turns error reporting off completely on line 2 and this is where the problem is (well, not the problem itself) because if you change line 2 to:

echo 'Hello and welcome ' .htmlentities(@$_POST['name'], ENT_QUOTES);

@ will tell the compiler that you know already what’s going on and the compiler won’t show the notice.

After you are done developing your application and ready to launch it, you will replace error_reporting(E_ALL); with error_reporting(0); to turn this off so the PHP compiler won’t show anything at all.

Better yet I suggest to do something like this:

ini_set("display_errors", 0); 
ini_set("log_errors",     1); 
ini_set("error_log",      "path/to/php.log"); 
error_reporting(E_ALL);

This will set the PHP to log errors rather than displaying them to the user and I suggest that you visit that error log every once in a while.

This way if your application crash or your users report strange things you will be able to check your log and possibly find some notices ;)

Also one of the reason you don’t want users to see PHP errors is that PHP will show the error and a path to the file that the error was occurred and some information about the error.
This could help malicious users identify your application’s file and folder structure and give them some clues on how they can exploit your application.

Happy Coding :)

Leave a Comment for Better PHP Applications