[eluser]jules123[/eluser]
Hello,
I read some posts which recommend to turn off error reporting and db debug options for a production site. So the following -
Code:
error_reporting(0);
ini_set('display_errors', 0);
config/database.php - db_debug=FALSE
If I understand this correctly, with this, the users will not see the error, but may not have a clue that something went wrong. This seemed a bit restrictive, so I tried the following. I would like to have your comments on whether this seems ok or whether it will pose any security problems on a production site.
Code:
1. error_reporting(E_ERROR | E_WARNING); // note I haven't included E_PARSE
2. ini_set('display_errors', 1);
3. config/database.php - db_debug=TRUE
4. Added a parameter in a configuration file that identifies whether a site is production or not.
5. Modified the following views from application/errors folder that check if the site is production and if so, hide the detailed messages. So for a production site -
- error_404 - shows a line such as "The page you requested could not be located".
- error_general - shows the general message
- error_db - shows a line such as "A database error occured". Does NOT display the
actual db error.
- error_php - shows only a line such as "A script error occured". Does NOT display
severity, message, filename, line number etc.
All views show the standard site header/footer, the time of the error and ask the users to contact the sysadmin with the error.
6. I also plan to have config/config.php - $config['log_threshold'] = 2;
so all errors and details will be logged.
Comments/suggestions appreciated!