Enable Verbose Error Reporting
The first step to secure a PHP application is to enable PHP features that track application errors. Application errors often point directly to or provide clues about vulnerabilities.
For example, many of the register global-related uninitialized variable errors can be detected simply by raising the error reporting level within an application.
Here's some code to do just that:
The first two lines of the code enable the tracking of all errors (E_ALL in PHP 4.0 or E_ALL | E_STRICT in PHP 5.0 and above), including warnings, fatal errors, and notices about uninitialized variables. The second line of code disables the display of errors, so that the code can be deployed in a production environment, while lines three and four specify that errors should be logged to a named file - an easy way to monitor error messages in any pager or editor utility, such as less or vim, respectively. To use this snippet, just place it at the top of any application, in a header for example.
For example, many of the register global-related uninitialized variable errors can be detected simply by raising the error reporting level within an application.
Here's some code to do just that:
error_reporting(E_ALL); // in PHP 5.0 E_ALL | E_STRICT ini_set("display_errors", 0); ini_set("log_errors", 1); ini_set("error_log", "/home/user/logs/app_xyz.php.log");
The first two lines of the code enable the tracking of all errors (E_ALL in PHP 4.0 or E_ALL | E_STRICT in PHP 5.0 and above), including warnings, fatal errors, and notices about uninitialized variables. The second line of code disables the display of errors, so that the code can be deployed in a production environment, while lines three and four specify that errors should be logged to a named file - an easy way to monitor error messages in any pager or editor utility, such as less or vim, respectively. To use this snippet, just place it at the top of any application, in a header for example.