Verbose error pages are extremely useful in development and extremely dangerous in production. A stack trace tells an attacker the database driver, hostname, credentials format, file paths, and library versions — which feeds the next attack.
vulnerable.php has display_errors=1. Visiting it during a database outage prints something like:
PDOException: SQLSTATE[HY000] [1045] Access denied for user 'root'@'10.0.0.5'
(using password: YES) in /var/www/examples/errors/vulnerable.php:8
That single line gives an attacker the database user, the host the app runs on, and the file layout.
fixed.php:
- turns off
display_errors, - turns on
log_errorsto a file outside the web root, - registers an exception handler that logs the full detail and shows the user a generic 500.
display_errors=0andlog_errors=1in every productionphp.ini. Treat the default as a configuration bug.- Send the log to a file outside the document root, or to syslog/a log aggregator.
- Don't render
Throwable::getMessage()to the user — even sanitized messages leak the driver and operation. - In a framework, set the equivalent (
APP_DEBUG=false,app.debug = false) before deploying.