Display Errors

Display error directive controls whether or not and where PHP will output errors, notices and warnings too.

; display_errors
; Default Value: On
; Development Value: On
; Production Value: Off

Enabling the display_errors directive results in the display of any errors meeting the criteria defined by error_reporting. You should have this directive enabled only during testing and keep it disabled when the site is live. The display of such messages not only is likely to further confuse the end user but could also provide more information about your application/server than you might like to make available.

For example,suppose you are using a flat file to store newsletter subscriber e-mail addresses. Due to a permissions misconfiguration, the application could not write to the file. Yet rather than catch the error and offer a user-friendly response, you instead opt to allow PHP to report the matter to the end user. The displayed error would look something like this:

Warning: fopen(subscribers.txt): failed to open stream: Permission denied in /home/www/htdocs/ 8/displayerrors.php on line 3

Granted, you've already broken a cardinal rule by placing a sensitive file within the document root tree, but now you've greatly exacerbated the problem by informing the user of the exact location and name of the file. The user can then simply enter a URL similar to http://www.example.com/subscribers.txt and proceed to do what he will with your soon-to-be furious subscriber base.