Logging PHP Errors For Production Environments

Good security practices dictate PHP should be configured to never display error messages and notices to screen in a production environment due to its potential to reveal information about your server and application setup. One solution is to enable error logging on the server by setting the log_errors attribute to 1 in your php.ini and reloading Apache. When active by default all errors will be sent to the Apache error log and will appear similar to the line below, unless a different path has been set in the php.ini configuration file using the error_log directive.

[codesyntax lang=”text”]

[Mon Jul 16 10:17:31 2011] [error] [client 58.96.56.198] PHP Fatal error: 
Uncaught SoapFault exception: [sf:INVALID_LOGIN] INVALID_LOGIN: Invalid
username, user not active in /var/www/myapp/includes/thirdparty/developerforce/soapclient/SforceBaseClient.
php:162

[/codesyntax]

Sometimes you may not have permission to edit the php.ini file or don’t want to effect the error reporting for other applications that live on the same box. This leaves you the option of changing the error reporting setting temporarily either in a .htaccess file or in the script itself. Telling PHP to log errors at runtime is very easy to achieve simply add the line below to your script, be warned though this approach is not an optimal solution in most situations, if there is a parse error in your script the directive will not be run and no errors will be logged.

[codesyntax lang=”text”]

ini_set("log_errors", 1);

[/codesyntax]

A better option is to set the logging directive in a .htaccess file if your server is configured to allow their use. Simply open up your .htaccess files or create a new one in the directory of your application if you don’t have one already and add a line with the log_errors directive and save:

[codesyntax lang=”text”]

php_value log_errors 1

[/codesyntax]