<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
well there are development settings and production settings for a
reason, the idea is you develop with errors turned on, then turn
them off for production. It would be rather nice if vtiger wasn't
such a complete avalanche of warnings, it would make development
easier. I want to see errors I caused, much better than staring at a
blank white screen and guessing what the problem was! "Patches
welcome" is a fair response to this kind of thing, it isn't hard to
address most warnings, someone just has to get on and do it.<br>
<br>
Alan.<br>
<br>
<div class="moz-cite-prefix">On 14/05/15 21:55, Błażej Pabiszczak
wrote:<br>
</div>
<blockquote
cite="mid:bde2005ba27ebdeb0633f8c185a6a68c@yetiforce.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I completely disagree with you. All good security practices,
which I have got familiar with, clearly describe principles for
displaying errors. A user should only see errors handled by the
application. Other errors such as sql, php, apache shouldn’t be
visible and I don’t think there are any arguments against it.</p>
<p>Not a single application is ideal, but displaying errors is a
serious breach of security and should never happen. A good
example are websites with web server errors [e.g. 403, 404] that
should be also handled by the application [should have its own
error pages] because hakers can get information about software
and its version from the default websites for server errors.</p>
<div>---<br>
<div>Z poważaniem / Regards</div>
<div> </div>
<div><strong>Błażej Pabiszczak</strong></div>
<div><em>Chief Executive Officer</em></div>
<div>M: +48.884999123<br>
E: <a moz-do-not-send="true" title="Mail do Błażej Pabiszczak"
href="mailto:b.pabiszczak@yetiforce.com">b.pabiszczak@yetiforce.com</a></div>
</div>
<p> </p>
<p>W dniu 2015-05-14 03:02, Hamono, Chris (DPC) napisał(a):</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left:
#1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored --><!-- meta ignored --><!-- node type 8 --><!-- node type 8 -->
<div class="WordSection1">
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">A note to developers, vtiger, yetiforce
or otherwise.<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">If you must recommend turning off php
warnings in your code. You are doing it wrong!<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">I cannot make this point strongly enough.<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">There is a reason all compilers and
interpreters spit out massive amounts of warnings. It’s
because these warnings indicate where your code is SLOPPY.<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">By ignoring those warnings you are
potentially coding security risks and buggy code.
uninitialized variables are the most common source of
warnings and also the most common source of bugs.<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">So if you tell users they must turn off
warnings it’s a sign that the code is poorly written.<!-- o ignored --></p>
<p class="MsoNormal"><!-- o ignored --> </p>
<p class="MsoNormal">Chris<!-- o ignored --></p>
</div>
<!-- html ignored --><br>
<div class="pre" style="margin: 0; padding: 0; font-family:
monospace">_______________________________________________<br>
<a moz-do-not-send="true" href="http://www.vtiger.com/">http://www.vtiger.com/</a></div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a></pre>
</blockquote>
<br>
</body>
</html>