[Vtigercrm-developers] <RANT>When coding do not turn off warnings!</RANT>

Hamono, Chris (DPC) Chris.Hamono at sa.gov.au
Fri May 15 01:07:52 GMT 2015


Perhaps I didn’t explain myself

If your application fails to handles errors intelligently then it is flawed.

Turning off warnings is not a part of a good design process. Yes you must prevent errors that can be used against users or will leak information from reaching the end user.

Turning off errors to hide bad coding practices is not an acceptable way of coding. It hides potentially serious flaws.

e.g.
$module = $_REQUEST[‘module’]; < == Sloppy code and generates a warning (and possibly a stack dump)

The above is an example of very poor coding. I know that the vtiger devs are slowly removing such bad coding but to_html() is one instance called numerous times that contains examples of poor practices.

So turn off display_errors 100% agree

log_errors should be on and you should be monitoring the ;logs to see what bad things happen so you can fix them

Don’t use a confused concept of security as a way to hide bad coding practices.

Chris

From: vtigercrm-developers-bounces at lists.vtigercrm.com [mailto:vtigercrm-developers-bounces at lists.vtigercrm.com] On Behalf Of Blazej Pabiszczak
Sent: Friday, 15 May 2015 6:25 AM
To: vtigercrm-developers at lists.vtigercrm.com
Subject: Re: [Vtigercrm-developers] <RANT>When coding do not turn off warnings!</RANT>


I completely disagree with you. All good security practices, which I have got familiar with, clearly describe principles for displaying errors. A user should only see errors handled by the application. Other errors such as sql, php, apache shouldn’t be visible and I don’t think there are any arguments against it.

Not a single application is ideal, but displaying errors is a serious breach of security and should never happen. A good example are websites with web server errors [e.g. 403, 404] that should be also handled by the application [should have its own error pages] because hakers can get information about software and its version from the default websites for server errors.
---
Z poważaniem / Regards

Błażej Pabiszczak
Chief Executive Officer
M: +48.884999123
E: b.pabiszczak at yetiforce.com<mailto:b.pabiszczak at yetiforce.com>



W dniu 2015-05-14 03:02, Hamono, Chris (DPC) napisał(a):

A note to developers, vtiger, yetiforce or otherwise.

If you must recommend turning off php warnings in your code. You are doing it wrong!

I cannot make this point strongly enough.

There is a reason all compilers and interpreters spit out massive amounts of warnings. It’s because these warnings indicate where your code is SLOPPY.

By ignoring those warnings you are potentially coding security risks and buggy code. uninitialized variables are the most common source of warnings and also the most common source of bugs.

So if you tell users they must turn off warnings it’s a sign that the code is poorly written.

Chris

_______________________________________________
http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150515/823d88c5/attachment-0001.html>


More information about the vtigercrm-developers mailing list