php.ini query

2 posts by 2 authors in: Forums > CMS Builder
Last Post: Yesterday at 8:26pm (RSS)

I've noticed that recent releases have come with a couple of php.ini settings enabled by default:

display_startup_errors = On
display_errors = On

I'm just wondering why, since it's usually good security practice not to show errors, so shouldn't these two be disabled by default?

By Dave - Yesterday at 8:26pm

Hi Mark,

Thanks for sharing that concern. It's very true that security-wise, you want to be mindful of errors shown.

We've hard-coding those settings in the /cmsb/php.ini so the CMS can capture, log and filter errors. You can control what users see via Admin > Security.

Essentially, we're controlling errors displayed from the CMS and not PHP itself, so that you have complete control even if the host changes a php.ini setting that you can't otherwise modify.

I'll add a comment above those settings for the next release as well to explain why they're hard-coded on.

For the current maximum security setting you can select: Admin > Security > Hide Errors. Errors will then display as "An unexpected error occurred #1234" which references the logged error number from the Developer Log.

Hope that helps. Let me know if you have any other questions.

Dave Edis - Senior Developer
interactivetools.com