Hello
I have read an article about error handing in PHP and the author of the article said that it is a bad practice to place connection details in the pages themselves. This is becuase if you have display_errors = on, then potentially, if an error would accours, a viewer could see the connection details.
Assuming that display_errors = off, is it still a bad practice to place the connection details in the pages?
If so, where would be the best place to put them?
thanks in advance
This is becuase if you have display_errors = on, then potentially, if an error would accours, a viewer could see the connection details.
What kind of error?
I think the author got the reason wrong.
Placing sensitive data within the document root (or public_html directory) can be an issue when, for some reason, PHP fails to parse the page, and the page is served as is.
It doesnt matter if display_errors is on or off, since PHP doesnt even work.
So either way, you should not place sensitive data within your document root, unless you're willing to accept the possibility of it being leaked just like that.
You would place them outside your document root, perhaps in the www directory, depending on how your server is setup.
Ask your server administrator for more information, as some servers may not allow this.
But for production websites, one should keep display_errors off, so that if an error with the PHP script occurs, perhaps due to a bug in your coding that testing did not reveal, the PHP interpreter will not reveal information to the user that may allow the user to compromise the system.
It is a sort of security through obscurity, and should not be relied on, but helps, at least a bit.
