All geek questions in one place

Will a PHP exception message be displayed as a security risk?

I want a custom message to be displayed to the user when I raise an error in Laravel 5.1. For example, in the controller, I could:

if(!has_access()){ abort('401', 'please contact support to gain access to this item.'); }

Then my custom error page, I would display the error with:

 $exception->getMessage();

However, what if there was an SQL error or other event? Wouldn't that also set up an Exceptional message that I would unknowingly display on my page with an error?

The PHP docs for getMessage () do not contain details about this.

How can I set a specific exception message without security risk?

+5
source share
2 answers

However, what if there was an SQL error or other event? Wouldn't that also set up an Exceptional message that I would unknowingly display on my page with an error?

Potentially, yes. PHP does not guarantee that the contents of exception messages will be “safe” for display to users, and it is likely that some classes will throw exceptions that include sensitive information in the message.

If you want to use exceptions to display errors to users, use a special Exception subclass for these exceptions and only print a message if the exception was an instance of this subclass, for example

 class UserVisibleException extends Exception { // You don't need any code in here, but you could add a custom constructor // if you wanted to. } // Then, in your abort() function... throw new UserVisibleException($message); // Then, in your exception handler... if ($exc instanceof UserVisibleException) { print $exc->getMessage(); } else { print "An internal error occurred."; }
+2
source

If you have accessed your app.php file:

  'debug' => env('APP_DEBUG', false),

In your version of env, set this to false. This would ensure that there are no debugging errors in the production environment.

Once this is established, you can respond to the usual exceptions through your controller. Everything else, laravel does not display the error page.

+2
source

Source: https://habr.com/ru/post/1245192/

More articles:


All Articles