[OWASP_PHPSEC] error.php inside Core library

Abbas Naderi abiusx at owasp.org
Mon Jul 29 13:13:08 UTC 2013

Answers inline
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 7, 1392, at 9:38 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> Hello All,
> I was reading error.php which is inside core library...I have a couple of questions:
> 1) When function disable is called, it restores the error handler and the shutdown function would be un-registered. However, the state of the variable $isShutdownRegistered is not changed. It is still true.
> So, shouldn't it be changed to false as well when "disable()" is called.
You can not unregister a shutdown function. Thats why we have a flag that is checked inside it, and thats why no matter how many times the system is en/disabled, its only registered once.

> 2) Function names _errorToException() and _shutDown() are using "_" to start their names. Why is that??..does putting "_" before a function is some standard to denote them that they are critical function or something.
Becuase they are callbacks to PHP SPL library, and need to be public, yet the developers should never call them and they should be somewhat private. A better approach is to replace it with anonymous functions (closures) to prevent name pollution.
> -------------------------------------------------------------------------------------------------------------------------
> IN this code:
> //only say fatal error, if the last error has been fatal!
> 		if ($type==E_ERROR or $type==E_CORE_ERROR or $type==E_PARSE or $type==E_COMPILE_ERROR or $type==E_USER_ERROR)
> 		{
> 			if (strpos($e['message'],"ErrorException")===false) //exceptions automatically have filename in their message
> 				echof ("Fatal Error ?: ? [?:<strong>?</strong>]",$e['type'],$e['message'],$e['file'],$e['line']);
> 			else
> 				echo_br("Fatal Error {$e['type']}: {$e['message']}");
> 			exit(1);
> 		}
> ------------------------------------------------------------------------------------------------------------------------------
> 3) I spotted use of <strong></strong> tags.....Shouldn't we remove them ?
You can remove them, its no biggie. Just wanted it to look like casual PHP errors.
> 4) Inside the if condition, if class name "ErrorException" is found, then that error has already been converted to error.....The message should then say "Fatal Exception" instead of "Fatal Error"...................if that is not the case, then I don't understand why two different kinds of error message if "classname" is found inside them or not.
Because exceptions have stack trace in their messages, but errors dont.
> 5) Why echo_br is used ? There are no new lines to be converted to <BR>.
We should never use PHP's echo in our codes, and we event have to prevent it in the whole code. echo_br, does an echo and a BR, but it encodes its parameters to prevent injections. Some error messages might be convertible to scripts via certain inputs.
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130729/f26fb095/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list