[Vtigercrm-developers] <RANT>When coding do not turn off warnings!</RANT>
Błażej Pabiszczak
b.pabiszczak at yetiforce.com
Thu May 14 20:55:06 GMT 2015
I completely disagree with you. All good security practices, which I
have got familiar with, clearly describe principles for displaying
errors. A user should only see errors handled by the application. Other
errors such as sql, php, apache shouldn't be visible and I don't think
there are any arguments against it.
Not a single application is ideal, but displaying errors is a serious
breach of security and should never happen. A good example are websites
with web server errors [e.g. 403, 404] that should be also handled by
the application [should have its own error pages] because hakers can get
information about software and its version from the default websites for
server errors.
---
Z poważaniem / Regards
BŁAŻEJ PABISZCZAK
_Chief Executive Officer_
M: +48.884999123
E: b.pabiszczak at yetiforce.com
W dniu 2015-05-14 03:02, Hamono, Chris (DPC) napisał(a):
> A note to developers, vtiger, yetiforce or otherwise.
>
> If you must recommend turning off php warnings in your code. You are doing it wrong!
>
> I cannot make this point strongly enough.
>
> There is a reason all compilers and interpreters spit out massive amounts of warnings. It's because these warnings indicate where your code is SLOPPY.
>
> By ignoring those warnings you are potentially coding security risks and buggy code. uninitialized variables are the most common source of warnings and also the most common source of bugs.
>
> So if you tell users they must turn off warnings it's a sign that the code is poorly written.
>
> Chris
>
> _______________________________________________
> http://www.vtiger.com/ [1]
Links:
------
[1] http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150514/9963e0a7/attachment.html>
More information about the vtigercrm-developers
mailing list