How to only show PHP errors to myself?

Question

I've seen a few methods for hiding php errors using php.ini or by adding php_flag display_errors off to .htaccess, but I'm wondering if there's a way to make it so only I can see php errors (useful for debugging obviously), but anyone else will be redirected to some boilerplate error page. I have a few scripts on my site that use my forum to authenticate me as an admin and kick everyone else out, so maybe it's possible using the same method?

If this isn't possible, I guess I'll go with the .htaccess method since I don't have access to php.ini. Is adding php_flag display_errors off to .htaccess a good way to go for this?

Thanks!

Answer 1

Since your code already knows you are an admin you can use a logic like this:

if($_SESSION['isadmin']==1){
    ini_set('display_errors', 1);
    ini_set('log_errors', 1); 
}

The admins will see errors but the other users will not see the errors.

Answer 2

While displaying errors on screen is great for development (as you see them right away), they should not be enabled for production servers because you may accidentally expose sensitive information (e.g., database passwords) to unauthorized users.

The useful INI options are:

ini_set('error_reporting', E_ALL & ~E_NOTICE);
ini_set('error_log', '/path/to/my/php.log');
ini_set('log_errors', 'On');      // log to file (yes)
ini_set('display_errors', 'Off'); // log to screen (no)

With that, all errors will be logged to the specified file. No errors will be seen on the screen.

Make sure the web server user is able to write to that file. You may have to create it and chmod / chown it accordingly before running your script.

On private development servers, you could disable the log file and display directly to screen. When developing, I would also get in the habit of displaying E_NOTICE errors as well. (Just use E_ALL as the value.) And if your scripts are well written, you can then continue to log them while in production too. An E_NOTICE is good for catching typos in variable names or array indices.

Note that all of those options can also be set in the php.ini or .htaccess files. But if you use .htaccess you cannot use the E_* constants; instead, you must hardcode the integer representation. (i.e., In a .htaccess file, you use whatever the results of <?php echo E_ALL ?> show as the value, or whatever you wish to log.)

In fact, I would recommend setting them in the php.ini if at all possible. Otherwise, if there's a script parsing error (or the ini_set gets skipped for some reason), you may not get the errors logging properly, etc.

On a Linux box you can always do a tail -f /path/to/my/php.log from a shell to monitor the log in realtime.

Answer 3

if you have a users system, set the codes so it recognize you when you log in, and show errors. So, it will only show errors when it's you who is logged in.

Answer 4

Although I agree with konforce, this is possible by setting the error reporting at runtime with the error_reporting() function. If you insist on doing that, put it in the same block of code that you mentioned for determining you are the admin, so that you don't have the decision made in different places.

Answer 5

You can check against the users IP, and if it matches yours, you can show errors. Something like this:

if($_SERVER['REMOTE_ADDR'] == 'your.ip.address'){
    error_reporting(E_ALL);
} else {
    error_reporting(0);
}

If you don't know you external IP, just google "what is my ip" or similar.

Base case scenario is obviously having a dev-server.