views:

51

answers:

4

The title pretty much says it all...is it a bad idea ? I'd like to have the enhanced debug messages that XDebug provides on the server.

[edit] Just to make things clear. I'm aware there are security risks involved. Perhaps I should complement my question and give more precise reasons why I would want to do this.

Our production server hosts a testing platform also. Sometimes we use it to test things on a environment as close to production as possible. The main thing I'm looking for is using XDebug's enhanced var_dump().

This is not an app server for high traffic apps and performance is not that big of an issue. I was just curious if performance would be noticeably impacted by XDebug.

Besides, I guess I could enable it only for the VirtualHost that defines the testing sites.

+1  A: 

Why on earth do you want something like that? Debug before you deploy to production. It will make the app slower.

Hanse
A: 

You should never display debug error messages on a production server. It's ugly for your users and also a security risk. I'm sure it will make it a little slower too.

David Radcliffe
A: 

You should never keep that on production.

Your application shoud never need to print out "those nice debug messages", as they are not nice at all to your users. They are a sign of poor testing and they will kill user's trust, especially in a enterprise/ecommerce environment.

Second, the more detailed technical information you reveal, the more you are likely to get hacked (especially if you are already revealing that there ARE in fact problems with your code!). Production servers should log errors to files, and never display them.

Speed of execution is your least concern, anyway it will be impacted by it, as will memory.

Palantir
That's what I thought... Actually the only feature I wanted is the enhanced `var_dump()` formatting. I'm aware there's a security risk as well...
Andrei
+1  A: 

Hello Andrei:

Besides the obvious fact that debug messages cannot be displayed in a application that is already in production, and also the fact that i don't know why would you like that, there a couple of things really bad about it.

The first one is that when you add debugging behavior to your server, the debug engine "attaches" to the PHP process and receive messages of the engine to stop at breakpoints, and this is BAD, because introduces a high performance blow to have another process stopping or "retaining" the PHP parser.

Another big issue is that when a debugger is installed, at least most of them, they tend to have the nasty habit of opening ports in your server, because they are not intended for production environments, and as you may know, any software that opens ports in your server is opening a door for any hacker around.

If you need to have debugging in your code, then in your application, implement a debugging system, if is not available, since most frameworks have this built in. Set a configuration value, say DEBUG_ENABLED and when throwing exceptions, if is not enabled, redirect to a petty page, else to a ugly page with debugging information, but take good care of what debugging information you display in your server. I hope this clarifies everything.

David Conde
Thanks for your answer. I've edited my question because many answers mentioned what you (rightly) suggest: security issues and in general bad practice.
Andrei