PHP display_errors is on

Rejah Rehim
Published on
02 Jul 2018
1 min read

The display_error setting in PHP is used to determine whether errors should be printed to the screen or not. The error can be used as a part of the output or can be hidden from the user. There are many servers who have kept the display_errors setting as enabled in PHP. The display_errors directive determines whether error messages should be sent to the browser. The error message might include frequently contained sensitive information about your web application environment, and should never be presented to untrusted sources. Using the error, an attacker can gather information about the server and can use the errors to attack the application. Using errors, an attacker can perform attacks like SQL injection and can view path locations present in the server. If an attacker gets access to the files and folder, he will able to create a clearcut idea about the application and can guess the location of sensitive files. At worst case, the attacker can exploit this vulnerability to gain full access to the server, changes sensitive changes and can also put the applications on search engine blocklists like Google blacklist.


The below code is the working example of display errors.

        echo ini_get('display_errors');
        ini_set('display_errors', '0');
        echo ini_get('display_errors');


The above code will display errors to the browser.


Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable display_errors in php.ini or .htaccess.


        display_errors = 'off'
        log_errors = 'on'



        php_flag display_errors off
        php_flag log_errors on

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.