htaccess for PHP Error Logging – An In-depth How-to

January 11th, 2012 Leave a comment
Like the article?
How to Use htaccess for PHP Error Logging

For PHP users running Apache, we often want to be able to suppress our PHP errors from visitors so we can protect and handle those errors. We also want to log those errors since error tracking is an excellent way to troubleshoot potential problems. Catching these errors and monitoring them is a better solution than trying to catch and handle them during the user’s session. This tutorial will show you how to enable PHP error logging and error handling via .htaccess.

For Developers New to htaccess

If you are a developer that has never used the .htaccess file, here is a little help. Everyone else can move along to the first section.

The .htaccess files allow for changes to be made to the configuration of a site on Apache, on a per-directory basis. These files contain configuration directives that, when placed in a particular directory, apply those directives to that directory and all sub-directories. For the directives in this article it is best to apply them to the domain’s httpd.conf or to the site root htaccess file since we want them to affect all PHP scripts in the site.

The pound sign (#) is used for comments in .htaccess files and may be included into your file for later reference.

Hiding PHP Errors From Visitors

It is important to hide your errors from visitors, not only to enhance the user experience in the event of a problem but to prevent the potential for exploitation that could occur if the wrong user knows which modules or themes you are using. We do not want to increase the chance of an exploited vulnerability, so the less information you give out about your environment, the better.

To suppress PHP errors via .htaccess we need to add these directives:

# suppress php errors
php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off

With these directives in place, PHP will not be able to display errors on your site. No editing or changing of your PHP code or configuration is necessary for this to work and it will keep the errors under wraps.

Enable Private PHP Error Logging

Once you have PHP errors hidden on your page, you can log them for later review and tracking. To do this, add these directives:

# enable PHP error logging
php_flag  log_errors on
php_value error_log  /home/path/public_html/domain/PHP_errors.log

The last line contains the path information for the PHP_errors.log file. You will need to create this file and set your file permissions to 755 and then edit this path to show the actual path to your log file. When these errors come in, they will now be suppressed and then logged to the file you have created.

If you want to control the level of detail that is being reported in your log file, there are several different levels available for you to choose from. These levels have numeric values that are included in the htaccess directive:

  • Complete error reporting: Int value 8191, enables logging of all errors except run-time problems. This is the highest level of error reporting.
  • Zend error reporting: Int value 128, records both fatal and non-fatal compile-time warnings that are generated by the Zend scripting engine.
  • Basic error reporting: Int value 8, records run-time notices, compile-time parse errors and run-time errors/warnings.
  • Minimal error reporting: Int value 1, records only fatal run-time errors.

To set which level of error reporting you want to use add this directive to your PHP error logging section:

php_value error_reporting "integer"

Where the integer is the value listed above for the error reporting level you wish to use. The list provided is only the most common. Some other tricks you can use are -1 which will show every possible error as well as the E_ALL constant (as of PHP 6). You can find a comprehensive list here:

Setting Max File Size

If you want to control the maximum size of your error strings you can specify the size of each error logged but not the overall file size for the log file. In the example directive below, you need to specify the maximum size allowed for each string, measured in bytes. The default is 1024 (1 KB) or you may use a zero value “0” to indicate that there are no maximum, and remove this limit.

log_errors_max_len "integer"

Protecting Your Log File

You will want to secure access to your log file so that it cannot be accessed via the browser. A good exploiter will look for log and error tracking files to give them information about where your site is vulnerable. Add these directives to your .htaccess file:

# prevent access to PHP error log
<Files PHP_errors.log>
 Order allow,deny
 Deny from all
 Satisfy All

You will want to test that your log file is secure by attempting to browse to it. The page should be denied. You can also check your that your PHP errors are being suppressed by triggering a few and then check the log file to be sure they are being logged appropriately.

Disable Logging Repeated Errors

If you would like to prevent the logging of the same error again and again, you can turn on the ignore redundancy flag which will ignore repeated errors. Here is the flag:

php_flag ignore_repeated_errors on

You can also choose to ignore the same error from different sources by enabling this flag:

php_flag ignore_repeated_source on

Once these flags have been enabled, repeat errors will no longer be logged, even with different sources if you have the second flag on.

Having a PHP error-handling strategy is a must for production environments and helps make your life easier in development environments. With this solution you will have real-time error-handling that avoids the public display of error messages and helps keep your site secure. Complete error transparency is available to the administrator via the log file, which can help keep your site working smoothly and be a large help when tracking down hard-to-find problems.

Help us spread the word!
  • Twitter
  • Facebook
  • LinkedIn
  • Pinterest
  • Delicious
  • DZone
  • Reddit
  • Sphinn
  • StumbleUpon
  • Google Plus
  • RSS
  • Email
  • Print
Don't miss another post! Receive updates via email!