How to perform error handling in PHP

From Web Services Wiki

Jump to: navigation, search

Contents

Problem

You want to customize PHP's default error handling mechanism to improve your application's security, appearance, and debugging capabilities.

Solution

Configure error reporting settings

It is important to configure PHP's error reporting settings depending on which phase of development the web application is currently in. Generally, the programmer wants to see all warnings and errors in the web browser during the initial phase of development, and later, once the site has launched, send error messages to a log file so that visitors do not see them.

Error Reporting for Development

During development, you want to display all errors and warnings to the browser.

// Report all PHP errors
ini_set('error_reporting', E_ALL);
 
// Set the display_errors directive to On
ini_set('display_errors', 1);

Error Reporting for Production

In production, you may want to lower the error reporting level and not display errors to the browser.

// Report simple running errors
ini_set('error_reporting', E_ALL ^ E_NOTICE);
 
// Set the display_errors directive to Off
ini_set('display_errors', 0);
 
// Log errors to the web server's error log
ini_set('log_errors', 1);

Logging errors

You can use the PHP function error_log() to send errors to your own log file or an e-mail address. This is particularly important since most developers on campus do not have access to the web servers logs. Used in conjunction with a custom error handler, error_log() is especially useful.

// Destinations
define("ADMIN_EMAIL", "nobody@stanford.edu");
define("LOG_FILE", "/my/home/errors.log");
 
// Destination types
define("DEST_EMAIL", "1");
define("DEST_LOGFILE", "3");
 
/* Examples */
 
// Send an e-mail to the administrator
error_log("Fix me!", DEST_EMAIL, ADMIN_EMAIL);
 
// Write the error to our log file
error_log("Error", DEST_LOGFILE, LOG_FILE);

Create a custom error handler

It is possible to override PHP's default mechanism for handling errors. This option gives the programmer full control over what actions to take when an error is raised. Note that since this method completely replaces PHP's native functionality, it is important to pay special care when writing a custom error handler.

// Destinations
define("ADMIN_EMAIL", "nobody@stanford.edu");
define("LOG_FILE", "/my/home/errors.log");
 
// Destination types
define("DEST_EMAIL", "1");
define("DEST_LOGFILE", "3");
 
/**
  * my_error_handler($errno, $errstr, $errfile, $errline)
  *
  * Author(s): thanosb, ddonahue
  * Date: May 11, 2008
  * 
  * custom error handler
  *
  * Parameters:
  *  $errno:   Error level
  *  $errstr:  Error message
  *  $errfile: File in which the error was raised
  *  $errline: Line at which the error occurred
  */
 
function my_error_handler($errno, $errstr, $errfile, $errline)
{  
  switch ($errno) {
    case E_USER_ERROR:
      // Send an e-mail to the administrator
      error_log("Error: $errstr \n Fatal error on line $errline in file $errfile \n", DEST_EMAIL, ADMIN_EMAIL);
 
      // Write the error to our log file
      error_log("Error: $errstr \n Fatal error on line $errline in file $errfile \n", DEST_LOGFILE, LOG_FILE);
      break;
 
    case E_USER_WARNING:
      // Write the error to our log file
      error_log("Warning: $errstr \n in $errfile on line $errline \n", DEST_LOGFILE, LOG_FILE);
      break;
 
    case E_USER_NOTICE:
      // Write the error to our log file
      error_log("Notice: $errstr \n in $errfile on line $errline \n", DEST_LOGFILE, LOG_FILE);
      break;
 
    default:
      // Write the error to our log file
      error_log("Unknown error [#$errno]: $errstr \n in $errfile on line $errline \n", DEST_LOGFILE, LOG_FILE);
      break;
  }
 
  // Don't execute PHP's internal error handler
  return TRUE;
}
 
 
// Use set_error_handler() to tell PHP to use our method
$old_error_handler = set_error_handler("my_error_handler");

Discussion

Why shouldn't I display all errors?

If your website is configured to display all errors, when something goes wrong, not only will the result look unprofessional, but it will also reveal the inner workings of your web application. Potential attackers will gain useful information about the file system and how your code is set up. Instead of displaying all errors to the browser, during production, redirect them to a log file or database. When an error prevents the user from performing a certain action, inform them that the error has been logged and will be looked into shortly.

What is the difference between types of errors?

PHP.net provides a list of the different error types in PHP. We suggest reading through this list and becoming familiar with how PHP distinguishes between the various classifications.

See also

References

Personal tools