Security and throwing an Exception

tags:

php
security

views:

answers:

+1 Q:

Security and throwing an Exception

Hi all.

I wrote a function that gets the balance from PayPal. To connect properly I'm passing the user, password and certificate as parameters. Every thing looks ok until something throws an Exception inside and php prints all the parameters (user details in this case) on the stacktrace. I'm logging everything to a file so users wouldn't be able to see it anyway but I'd really like to know how to hide sensitive information from the stacktrace. To be true, I don't even like the idea of having it printing out passwords to log files...

Thanks for your time and help :)

Cheers, Diogo

+5 A:

If it's php that is throwing an exception, can't you catch it within a try/catch block ?

Guillaume Lebourgeois 2010-07-20 15:45:21

+1 A:

Catch the exception, then handle it rationally without exposing the information. For example, you could log the fact that there was a PayPal exception and display a message along those lines to the user, but without showing the exception string itself.

JSBangs 2010-07-20 15:53:40

Yes, I should do that :) but what if it comes from a place you didn't know it could throw an exception? (from some API calls for example)

DiogoNeves 2010-07-21 10:26:29

@Diogo, your public php configuration should be set to not display exceptions to the user. Your testing site can give full error information, but not your production site.

JSBangs 2010-07-21 14:02:59

great! :) need to have a look on it hehe

DiogoNeves 2010-07-21 19:41:19

ansaurus

tags:

views:

answers:

Security and throwing an Exception

related questions