PHP Error Handling with

slicedmitesΑσφάλεια

16 Φεβ 2014 (πριν από 3 χρόνια και 1 μήνα)

114 εμφανίσεις

Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


PHP Error Handling with

HTACCESS & PHP






CHETAN SONI

(
Cyber Security Specialist)

Email


chetansoni@live.com


Facebook


http://facebook.com/er.chetansoni

Twitter


http://twitter.com/iamchetansoni




Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


About Me



I am a social
-
techno
-
learner who believes in its own efficiency first and then implements with
the suggestions of my strong and enthusiastic Team which

helps me takes everything into its
perfection level.

The young and dynamic personality has not only assisted in solving complex cases but has also
played an instrumental role in creating awareness about Information Security and Cyber crimes.

I conducted
more than 100 workshops on topics like “
Botnets, Metasploit Framework,
Networking, Vulnerability Assessment, Penetration Testing, Cyber Crime Investigation,
Cyber Forensics and Ethical Hacking
” at various institutions/Colleges/Companies all across
the worl
d.

Achievements



1.

Experience as System Administrator, Support Engineer, Network Engineer, IT faculty,
Technical consultant.

2.

Extensive Experience in
Red Hat Enterprise Linux
.

3.

Experience in designing cable and wireless networks, network cabling such as STP,

UTP,
coaxial etc., installation and configuration of LAN, WAN and wireless networks with active
components such as hub, bridge, routers, switches, modems, repeaters etc. break / fix
engineering.

4.

Energetic and self
-
motivated team player. Proven ability to
work in tight schedule and both
independent and team environments.

5.

Extensive Experience in
Backtrack Operating System

which is a Linux based OS.

6.

Analysis and Monitoring of Packets in a Wireless Network.

7.

Published more than
50 E
-
Books
and
24 Tools

in
Secula
bs


Online Digital Library

related
to Hacking, Cracking, Backtrack, Metasploit, Digital Forensics, Wi
-
F
i Hacking, and Website
Hacking.

8.

Brand Ambassador of the year 2011 at
Secugenius Security Solutions
.

9.

Published My Paper on “
Complete WordPress Security”
at
Packet Storm Security

Website which is a
Global Security Resource.

10.

Research Paper Published on

“Capturing of HTTP Protocol Packets in a Wireless
Network”
in
IJECCE
(International Journal of Electronics Communication and Computer
Engineering)

11.

Got “
Best S
peaker of the year


2013″
Award in
Chakravyuh IT Conference

held at
IIT
-
Delhi.

Professional EXPERIENCE

Working as a
Sr. Security Specialist

at
SECUGENIUS SECURITY SOLUTIONS,
LUDHIANA from June ’2011

&
Sr. Author

at
Seculabs


Online Digital Library
from
January 2012.

Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions




PHP Error Handling with

HTACCESS & PHP


Chetan Soni



Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


PHP Error Handling with HTACCESS

As we know

PHP

error handling
is also

achieved
with

PHP
.

So to handle the
php errors via
htaccess
, we need
to observe 3 fundamental aspects of preventing, preserving and protecting
your site’s errors
,

Prevent public display of
PHP

errors via
htaccess

# supress php
errors

php_flag display_startup_errors off

php_flag display_errors off

php_flag html_errors off

php_value docref_root 0

php_value docref_ext 0


Preserve (log) your site’s
PHP

errors via
htaccess

# enable PHP error logging

php_flag log_errors on

php_value
error_log /home/path/public_html/domain/PHP_errors.log


Protect your site’s
PHP

error log via
htaccess

# prevent access to PHP error log

<Files PHP_errors.log>


Order allow,deny


Deny from all


Satisfy All

</Files>




Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


Controlling the level of
PHP

error reporting

We can also control the level of php error reporting using
htaccess

# general directive for setting php error level

php_value error_reporting integer

There are several common values used for “
integer
”, including:



Complete error reporting



for complete
PHP

error logging, use an error
-
reporting integer
value of “
8191
”, which will enable logging of everything except run
-
time notices.

1



Zend error reporting



to record both fatal and non
-
fatal compile
-
time warnings generated
by the Zend scri
pting engine, use an error
-
reporting integer value of “
128
”.



Basic error reporting



to record run
-
time notices, compile
-
time parse errors, as well as
run
-
time errors and warnings, use “
8
” for the error
-
reporting integer value.



Minimal error reporting



to

record only fatal run
-
time errors, use an error
-
reporting
integer value of “
1
”, which will enable logging of unrecoverable errors.

Of course, there are many more error
-
reporting values to use, depending on your particular error
-
logging needs.

Setting the
maximum file size for your error strings

Using
htaccess
, you may specify a maximum size for your
PHP

errors. This controls the size of
each logged error, not the overall file size. Here is the general syntax:

# general directive for setting max error size

log_errors_max_len integer


Disable logging of repeated errors

If you would like to disable this redundancy,
please write the following code in your htaccess
file;

# disable repeated error logging

php_flag ignore_repeated_errors on

php_flag ignore_repeate
d_source on

With these lines in place, repeated errors will not be logged, even if they are from different
sources or locations. If you only want to disable repeat errors from the same source or file,
simply comment out or delete the last line. Conversely,

to
ensure

that your log file includes all
repeat errors, change both of the
on

values to
off
.

Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


Final htaccess file for Servers (For Productive Environment)

Here is the code for your target
htaccess

file:

# PHP error handling for production servers

php_flag

display_startup_errors off

php_flag display_errors off

php_flag html_errors off

php_flag log_errors on

php_flag ignore_repeated_errors off

php_flag ignore_repeated_source off

php_flag report_memleaks on

php_flag track_errors on

php_value docref_root 0

php
_value docref_ext 0

php_value error_log /home/path/public_html/domain/PHP_errors.log

#

php_value error_reporting 999999999

php_value error_reporting
-
1

php_value log_errors_max_len 0


<Files PHP_errors.log>


Order allow,deny


Deny from all


Satisfy All

</F
iles>

With Comments,

# PHP error handling for production servers


# disable display of startup errors

php_flag display_startup_errors off

# disable display of all other errors

php_flag display_errors off

# disable html markup of errors

php_flag
html_errors off

# enable logging of errors

php_flag log_errors on

# disable ignoring of repeat errors

php_flag ignore_repeated_errors off

# disable ignoring of unique source errors

php_flag ignore_repeated_source off

# enable logging of php memory leaks

ph
p_flag report_memleaks on

# preserve most recent error via php_error

msg

php_flag track_errors on

# disable formatting of error reference links

php_value docref_root 0

# disable formatting of error reference links

php_value docref_ext 0

Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


# specify path to
php error log

php_value error_log /home/path/public_html/domain/PHP_errors.log

# specify recording of all php errors

# php_value error_reporting 999999999

php_value error_reporting
-
1

# disable max error string length

php_value log_errors_max_len 0

# prote
ct error log by preventing public access


<Files PHP_errors.log>


Order allow,deny


Deny from all


Satisfy All

</Files>


Final htaccess file for Servers (For Productive Environment)

Here’s the code;

# PHP error handling for development servers

php_flag
display_startup_errors on

php_flag display_errors on

php_flag html_errors on

php_flag log_errors on

php_flag ignore_repeated_errors off

php_flag ignore_repeated_source off

php_flag report_memleaks on

php_flag track_errors on

php_value docref_root 0

php_val
ue docref_ext 0

php_value error_log /home/path/public_html/domain/PHP_errors.log

# php_value error_reporting 999999999

php_value error_reporting
-
1

php_value log_errors_max_len 0


<Files PHP_errors.log>


Order allow,deny


Deny from all


Satisfy All

</Files
>




Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


PHP Error Handling with PHP

As we know

PHP error handling
is also

achieved
with

htaccess.

So to handle the
php errors via
htaccess
, we need these following things,

1.

Editing and accessing privileges for htaccess files.

2.

A server running PHP via Apache, not
CGI
.

3.

Ability to edit/change permissions for files on your server.

So if you feel any problem to handle all php errors with h
taccess, then we use
php.ini

for
handling all type of errors. To implement this, we need the following things,

1.

Ability to create/edit a
php.ini

file in your
public_html

directory
.

2.

A server running PHP via CGI, not Apache
.


3.

Ability to edit/change
permissions for files on your server
.

4.

Access/editing privileges for htaccess files (not required)
.


Step 1: Create a custom
php.ini

file in your site’s root directory

First of all create a
file named
as <
php.ini
>

and add the following PHP directive
s;

;;;
php error handling for production servers

display_startup_errors = off

display_errors = off

html_errors = off

log_errors = on

docref_root = 0

docref_ext = 0

error_log = /var/log/php/errors/php_error.log

In this
, we are disabling all public error displays and enabling
the
error logging in the specified
file

i.e. <
/var/log/php/errors/php_error.log
>
.

After editing the path and file name of the error log in the last line, save the file and upload it to
the root
directory of your domain

i.e.
public_html

with writable permissions i.e. 755 or 777
.

Step 2: Enable subdirectory inheritance of custom settings

At this point, error logging should be working, but only for the same directory in which you have
placed the
ph
p.ini

file

i.e. root directory
.

Unfortunately,
they

are not inherited by subdirectories as they are for htaccess directives. Thus,
each directory for which you would like to log errors requires its own copy of the
php.ini

file.

Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


If

you are able to access a
nd edit your site’s root htaccess file, there is an easy way to enable
subdirectory inheritance of your custom
php.ini

settings.

Simply add the following code to your site’s root htaccess file:

# enable subdirectory inheritance of custom php settings

suPHP_ConfigPath /home/path/public_html

This method is known as
HTACCESS INHERITANCE
.

Step 3: Secure your custom
php.ini

and log files

It’s our responsibility to protect the

domain by securing your newly created files. In addition to
setting permissions to
600

for your custom
php.ini

file(s), you may also want to add the
following directives to your root
htaccess

file:

# deny access to php.ini

<Files php.ini>


order allow,deny


deny from all


satisfy all

</Files>


# deny access to php error log

<Files php_error.log>


order allow,deny


deny from all


satisfy all

</Files>



Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


Controlling the level of
PHP

error reporting

Using your custom
php.ini

file, it is possible to set the level of error reporting to suit your
particular needs. The general format for controlling the level of PHP errors is as follows:

;;; general directive for setting php error level

error_reporting = integer

There are several

common values used for “integer”, including:



Complete Error R
eporting



for complete PHP error logging, use an error
-
reporting
integer value of “
8191
”, which will enable logging of everything except run
-
time notices.




Zend Error R
eporting



to record both fatal and non
-
fatal compile
-
time warnings
generated by the Zend scripting engine, use an error
-
reporting integer value of “
128
”.



Basic Error R
eporting



to record run
-
time notices, compile
-
time parse errors, as well as
run
-
time errors and

warnings, use “
8
” for the error
-
reporting integer value.



Minimal Error R
eporting



to record only fatal run
-
time errors, use an error
-
reporting
integer value of “
1
”, which will enable logging of unrecoverable errors.

Of course, there are many more error
-
r
eporting values to use, depending on your particular error
-
logging needs.

Setting the maximum file size for your error strings

Using your custom
php.ini

file, you may specify a maximum size for your PHP errors. Here is
the general syntax:

;;; general
directive for setting max error size

log_errors_max_len = integer

Here, “
integer
” represents the maximum size of each recorded error string as measured in bytes.
The default value is “
1024
” (i.e., 1 kilobyte).

To unleash your logging powers to their fulle
st extent, you may use a zero value, “
0
”, to indicate
“no maximum” and thus remove all limits.

Disable logging of repeated errors

If you would like to disable this redundancy,
then

the following code in your custom
php.ini

file:

;;; disable repeated error

logging

ignore_repeated_errors = true

ignore_repeated_source = true



Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


Final php.ini file for Servers

(For Production Environment)

Here is the code for your custom
php.ini

file:

;;; php error handling for production servers

display_startup_errors = false

display_errors = false

html_errors = false

log_errors = true

ignore_repeated_errors = false

ignore_repeated_source = false

report_memleaks = true

track_errors = true

docref_root = 0

docref_ext = 0

error_log = /var/log/php/errors/php_error.log

error_reporting = 999999999

log_errors_max_len = 0

With Comments, Here is the code;

;;; php error handling for production servers


; disable display of startup errors

display_startup_errors = false

; disable display of all other errors

display_errors =
false

; disable html markup of errors

html_errors = false

; enable logging of errors

log_errors = true

; disable ignoring of repeat errors

ignore_repeated_errors = false

; disable ignoring of unique source errors

ignore_repeated_source = false

; enable
logging of php memory leaks

report_memleaks = true

; preserve most recent error via php_error

msg

track_errors = true

; disable formatting of error reference links

docref_root = 0

; disable formatting of error reference links

docref_ext = 0

; specify path
to php error log

error_log = /var/log/php/errors/php_error.log

; specify recording of all php errors

error_reporting = 999999999

; disable max error string length

log_errors_max_len = 0



Chetan Soni


Sr. Security Specialist in Secugenius Security Solutions


Final php.ini file for Servers (For Development Environment)

Here’s
the code;

;;; php error handling for production servers

display_startup_errors = true

display_errors = true

html_errors = true

log_errors = true

ignore_repeated_errors = false

ignore_repeated_source = false

report_memleaks = true

track_errors = true

docref
_root = 0

docref_ext = 0

error_log = /var/log/php/errors/php_error.log

error_reporting = 999999999

log_errors_max_len = 0
















For any query, please mail us at
chetansoni@live.com