PHP Notices and Warnings

Question

I have looked far and wide but haven't been able to find anything related to this specific situation, I am a backend developer and always write (something similar to):

if (!defined("something")) define("something", true);

instead of just

define("something"; true);

The second snippet will trigger a Notice if the file is included more than once. Similar situation with array indexes:

$data = array();
echo $data["does not exist"];

will trigger a notice, so my preferred way is to:

$data = array();
if (isset($data["does not exist"]) echo $data["does not exist"];
else echo "Missing info";

PHP has the ability to suppress these messages but I keep them enabled because I consider these checks good practice, but I lack the evidence to prove that they are needed and recently a coworker argued that there is no effect in coding without the checks.

Are you aware of any security implication in not writing the checks? or am I perhaps being paranoid and disabling the notices is acceptable?

PS: Not sure if this question is more suitable for StackOverflow but feel free to let me know and I'll try to move it.

Answer 1

Disabling notices during development is not acceptable, as it points out problems with your code. Ideally, your code should be able to run with the E_ALL, and E_STRICT error reporting levels, and still not report any errors. Exact details are dependant on the PHP version, documentation can be found here .

I do not think either option is more, or less insecure than the other, unless there is another security issue it may somehow be masking. I believe that either form is bad practice though.

When a site is in production it is important to only log errors, and set ini.display_errors off. Reducing the error reporting level in production may be useful if it is impossible to deal with code producing large amounts of certain errors, but that code should be rectified.

I do believe that code should avoid generating notices, it may be a "lesser" issue, but it is still an issue which should be taken care of at development time.

The correct way to avoid these errors is simply to avoid including files more than once. (See: include_once() , or require_once() ) If you are using a framework, it likely includes a method to handle includes for you. Consult the relevant documentation, and ensure that you are using their implementation for including files.

Answer 2

Avoiding notices is a good practice.

Probably you should learn a little bit of defensive programming and follow The Right Way .

Hiding errors and notices during the development can cause serious problems in future. Usually, notices tells you about bad programming style or non-obvious bugs, which tends to tricky bugs, unmaintainable code and security vulnerabilities.

Good code never produce notices and errors because it controls the situation when they can happens.

Answer 3

There are plenty of ways to handle errors and exceptions in system. I worked with plenty of frameworks and believe me they don't rely on display_errors and ini_config flags.

PHP has advance facility to handle errors and exception that generated by code using set_exception_handler and set_error_handler . So if you want to hide errors then you can turn off display_errors but you should put above two functions to log your errors.

Defensive programming is very useful if you want to sit back and relax after uploading work over production side.