php.ini query
2 posts by 2 authors in: Forums > CMS Builder
Last Post: September 15 (RSS)
By mark99 - September 15
I've noticed that recent releases have come with a couple of php.ini settings enabled by default:
display_startup_errors = On
display_errors = On
I'm just wondering why, since it's usually good security practice not to show errors, so shouldn't these two be disabled by default?
By Dave - September 15
Hi Mark,
Thanks for sharing that concern. It's very true that security-wise, you want to be mindful of errors shown.
We've hard-coding those settings in the /cmsb/php.ini so the CMS can capture, log and filter errors. You can control what users see via Admin > Security.
Essentially, we're controlling errors displayed from the CMS and not PHP itself, so that you have complete control even if the host changes a php.ini setting that you can't otherwise modify.
I'll add a comment above those settings for the next release as well to explain why they're hard-coded on.
For the current maximum security setting you can select: Admin > Security > Hide Errors. Errors will then display as "An unexpected error occurred #1234" which references the logged error number from the Developer Log.
Hope that helps. Let me know if you have any other questions.
interactivetools.com