Wednesday, December 7. 2005
Today I had the pleasure to look at code examples from a recently released book. I guess readers of my blog know exactly what book I am referring to.
I will only cover the first 2 code examples that explain how to configure and use PHP's logging capabilities for now, because they are funny enough for now and reveal some nice insights.
<?php
ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');
ini_set('error_log', '/usr/local/apache/logs/error_log');
?>
This example seems to explain how a script should configure it's logging in a secure way. I cannot say what the book says about this example, because I don't feel like wasting my money on it. Maybe the guys who say they have reviewed it can comment on it.
However when you look at the example above and have a clue about file permissions you should start to laugh, because it should not work. Then you try it and wonder that it actually works. The thing is, that the author obviously wants to log errors into the apache error log. Therefore he tells PHP to log into the error_log file. Of course PHP will fail to open the file, because the logfile in question is only writeable by the root user on a sane configured webserver. However the example works, because PHP will fall back to using the SAPI error handler for logging purposes. And this of course uses the Apache logging subsystem to log to the file in question. So the example is simply wrong, and only works because of a fallback situation.
The next example is even more funny:
<?php
set_error_handler('my_error_handler');
function my_error_handler($number, $string, $file, $line, $context)
{
$error = "=========\nPHP ERROR\n=========\n";
$error .= "Number: [$number]\n";
$error .= "String: [$string]\n";
$error .= "File: [$file]\n";
$error .= "Line: [$line]\n";
$error .= "Context:\n" . print_r($context, TRUE) . "\n\n";
error_log($error, 3, '/usr/local/apache/logs/error_log');
}?>
This example however uses a different way to log to the error_log of Apache, which does not have any fallback handler. This actually means, that this code can only work if it is executed as the root user or if the apache error_log file is writeable by the apache user, which should never be allowed. I wonder how Apache and PHP is configured on the servers of the author and the persons who have reviewed the book.
PS: And I really wonder how fast after the author reads this we are again kicked out of their library...
