Hello,
How to solve the improper error
handling in PHP.. If any improper error occured in php site suddenly
php will provide meaningful message to user
Pls anyone suggest Me
am send u the description :
Improper handling of errors can introduce a variety of security
problems for a web site. The most common problem is when detailed
internal error messages such as stack traces, database dumps, and error
codes are displayed to the user (hacker). These messages reveal
implementation details that should never be revealed. Such details can
provide hackers important clues on potential flaws in the site and such
messages are also disturbing to normal users.
Web applications frequently generate error conditions during
normal operation. Out of memory, null pointer exceptions, system call
failure, database unavailable, network timeout, and hundreds of other
common conditions can cause errors to be generated. These errors must
be handled according to a well thought out scheme that will provide a
meaningful error message to the user, diagnostic information to the
site maintainers, and no useful information to an attacker.
Even when error messages don’t provide a lot of detail,
inconsistencies in such messages can still reveal important clues on
how a site works, and what information is present under the covers. For
example, when a user tries to access a file that does not exist, the
error message typically indicates, “file not found”. When accessing a
file that the user is not authorized for, it indicates, “access
denied”. The user is not supposed to know the file even exists, but
such inconsistencies will readily reveal the presence or absence of
inaccessible files or the site’s directory structure.
One common security problem caused by improper error handling
is the fail-open security check. All security mechanisms should deny
access until specifically granted, not grant access until denied, which
is a common reason why fail open errors occur. Other errors can cause
the system to crash or consume significant resources, effectively
denying or reducing service to legitimate users.
Good error handling mechanisms should be able to handle any
feasible set of inputs, while enforcing proper security. Simple error
messages should be produced and logged so that their cause, whether an
error in the site or a hacking attempt, can be reviewed. Error handling
should not focus solely on input provided by the user, but should also
include any errors that can be generated by internal components such as
system calls, database queries, or any other internal functions.
See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
[Non-text portions of this message have been removed]
