PHP display_errors is on

By
Rejah Rehim
Published on
13 Jun 2024
7 min read
Vulnerability

In PHP, display_errors are a configuration directive that controls whether errors are displayed on the screen as part of the web page output.

display_errors directive

  • On: When display_errors is set to “On,” PHP will display error messages directly in the web browser. This can be useful for development and debugging, as it allows developers to see and diagnose errors immediately.

  • Off: When display_errors is set to “Off,” PHP will not display error messages on the web page. Instead, errors can be logged to a file if log_errors is enabled. This is recommended for production environments to prevent sensitive information from being exposed to end users.

The display_error setting in PHP is used to determine whether errors should be printed to the screen or not. The error can be used as a part of the output or can be hidden from the user. There are many servers that have kept the display_errors setting as enabled in PHP.

The display_errors directive determines whether error messages should be sent to the browser. The error message might include frequently contained sensitive information about your web application environment and should never be presented to untrusted sources.

Using the error, an attacker can gather information about the server and can use the errors to attack the application. Using errors, an attacker can perform attacks like SQL injection and can view path locations present in the server.

If an attacker gets access to the files and folder, he will be able to create a clearcut idea about the application and can guess the location of sensitive files.

At worst case, the attacker can exploit this vulnerability to gain full access to the server, make sensitive changes and also put the applications on search engine blocklists like Google blacklist.

Example

The code below is the working example of display errors.

<?php 
    echo ini_get('display_errors'); 
    ini_set('display_errors', '0'); 
    echo ini_get('display_errors'); 
?> 

The above code will display errors to the browser.

What is the impact when PHP display errors are turned on?

Enabling display_errors in PHP can have several negative impacts, particularly in a production environment. Here are some of the key concerns:

1. Exposure of sensitive information

When display_errors is on, detailed error messages are displayed directly on the web page. These messages can include:

  • File paths

  • SQL queries

  • Configuration details

  • Internal logic

Such information can be exploited by malicious users to gain insights into the application’s structure, which can be used to find vulnerabilities.

2. Security risks

Displaying errors can inadvertently reveal security vulnerabilities. For example:

  • SQL Injection: If an SQL query error is displayed, it might reveal the structure of the database.

  • File Inclusion: Error messages might disclose the locations of sensitive files, making it easier for attackers to target them.

  • Debugging information: Revealing detailed debugging information can help attackers understand the application’s internal workings.

3. Professionalism and user experience

Exposing errors to end users:

  • Reduces credibility: Users encountering raw PHP errors might perceive the site as unprofessional or poorly maintained.

  • User confusion: Non-technical users may not understand the error messages, leading to confusion and frustration.

  • Trust issues: Users might lose trust in a site that appears to be malfunctioning or insecure.

4. Performance overhead

Constantly displaying errors can add overhead to the application. Error messages need to be generated and formatted, which can marginally impact performance, especially if errors are frequent.

5. Interference with application output

Errors displayed on the web page can interfere with the normal output of the application. This can break the layout, cause JavaScript errors, or disrupt the user experience.

How can you prevent display_errors from being enabled in PHP?

To prevent display_errors from being enabled in PHP, especially in a production environment, you can follow these best practices.

1. Set configuration in php.ini

Ensure that display_errors are set to Off in the PHP configuration file (php.ini).

  • Locate php.ini file: Find the PHP configuration file. Its location can vary depending on your server setup.

  • Edit php.ini file: Open the file and set the display_errors directive to Off.

display_errors = Off
  • Restart web server: After making changes to php.ini, restart your web server (e.g., Apache, Nginx) to apply the changes.

2. Use .htaccess file (for Apache Servers)

If you are using Apache, you can also control the display_errors setting via an .htaccess file.

  • Locate/create .htaccess file: Find or create the .htaccess file in the root directory of your website.

  • Add directive: Add the following line to disable display_errors.

php_flag display_errors off

3. Set configuration in PHP scripts

You can disable display_errors directly in your PHP scripts, which is useful if you need to ensure this setting regardless of the server configuration.

4. Add ini_set and error_reporting in scripts

ini_set('display_errors', 0); 
error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT);

5. Environment-specific configuration

Implement environment-specific configurations to ensure the setting is appropriately applied based on the environment (development, testing, production).

  • Check environment variable: Use an environment variable or configuration setting to determine the current environment.
if (getenv('APP_ENV') === 'production') { 
    ini_set('display_errors', 0); 
    ini_set('log_errors', 1); 
    error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT); 
    ini_set('error_log', '/path/to/error.log'); 
} else { 
    ini_set('display_errors', 1); 
    error_reporting(E_ALL); 
} 

6. Use PHP-FPM configuration (for Nginx or Apache with PHP-FPM)

If you are using PHP-FPM, you can configure php.ini settings in the php-fpm.conf or pool configuration files.

  • Edit pool configuration: Locate the pool configuration file (e.g., /etc/php-fpm.d/www.conf) and set php_admin_value.
php_admin_value[display_errors] = Off

7. Regular audits and monitoring

Regularly audit your server and application configurations to ensure display_errors is not accidentally turned on.

  • Automated scripts: Use scripts to check the status of display_errors.
php -r 'echo ini_get("display_errors");'

Ensure the output is Off.

By implementing these practices, you can prevent display_errors from being enabled in production environments, thereby improving the security and professionalism of your application while still allowing for effective error management and logging.


Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days