<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Perhaps I didn’t explain myself<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If your application fails to handles errors intelligently then it is flawed.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Turning off warnings is not a part of a good design process. Yes you must prevent errors that can be used against users or will leak information from reaching the end user. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Turning off errors to hide bad coding practices is not an acceptable way of coding. It hides potentially serious flaws.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>e.g.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>$module = $_REQUEST[‘module’]; < == Sloppy code and generates a warning (and possibly a stack dump)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The above is an example of very poor coding. I know that the vtiger devs are slowly removing such bad coding but to_html() is one instance called numerous times that contains examples of poor practices.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So turn off display_errors 100% agree<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>log_errors should be on and you should be monitoring the ;logs to see what bad things happen so you can fix them<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Don’t use a confused concept of security as a way to hide bad coding practices.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Chris<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> vtigercrm-developers-bounces@lists.vtigercrm.com [mailto:vtigercrm-developers-bounces@lists.vtigercrm.com] <b>On Behalf Of </b>Blazej Pabiszczak<br><b>Sent:</b> Friday, 15 May 2015 6:25 AM<br><b>To:</b> vtigercrm-developers@lists.vtigercrm.com<br><b>Subject:</b> Re: [Vtigercrm-developers] <RANT>When coding do not turn off warnings!</RANT><o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>I completely disagree with you. All good security practices, which I have got familiar with, clearly describe principles for displaying errors. A user should only see errors handled by the application. Other errors such as sql, php, apache shouldn’t be visible and I don’t think there are any arguments against it.<o:p></o:p></span></p><p><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Not a single application is ideal, but displaying errors is a serious breach of security and should never happen. A good example are websites with web server errors [e.g. 403, 404] that should be also handled by the application [should have its own error pages] because hakers can get information about software and its version from the default websites for server errors.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>---<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Z poważaniem / Regards<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Błażej Pabiszczak</span></strong><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><em><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Chief Executive Officer</span></em><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>M: +48.884999123<br>E: <a href="mailto:b.pabiszczak@yetiforce.com" title="Mail do Błażej Pabiszczak">b.pabiszczak@yetiforce.com</a><o:p></o:p></span></p></div></div><p><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p><p><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>W dniu 2015-05-14 03:02, Hamono, Chris (DPC) napisał(a):<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #1010FF 1.5pt;padding:0cm 0cm 0cm 5.0pt;margin-left:0cm;margin-right:0cm'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A note to developers, vtiger, yetiforce or otherwise.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If you must recommend turning off php warnings in your code. You are doing it wrong!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I cannot make this point strongly enough.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>There is a reason all compilers and interpreters spit out massive amounts of warnings. It’s because these warnings indicate where your code is SLOPPY.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>By ignoring those warnings you are potentially coding security risks and buggy code. uninitialized variables are the most common source of warnings and also the most common source of bugs.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So if you tell users they must turn off warnings it’s a sign that the code is poorly written.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Chris<o:p></o:p></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>_______________________________________________<br><a href="http://www.vtiger.com/">http://www.vtiger.com/</a><o:p></o:p></span></p></div></blockquote></div></body></html>