1

We are trying to secure a large application (including some third party applications) and we want to disable anything that would allow programmers or potential hackers to hide errors (that is because we are using some monitoring scripts to check the logs in real time and identify any security breach).

We have disabled error_reporting, ini_set (along with some other functions); we have also installed php extension scream to disable suppression operator (no errors are displayed to the user but everything is logged)

We are now looking for a solution to set the default php error_handler server side (instead of using set_error_handler as we do now)? We want to use a custom error handler (for a better logging of the error environment) but we do not want to allow anyone to suppress errors using set_error_handler function.

So basically we can either disable this function (and make sure that all errors will be logged by the default handler) or maybe find a solution to set this server side (maybe an extension or some other trick) for better logging.

Any idea would really help!

UPDATE

We're using Apache with mod_php so we cannot use [PATH] to disable_functions for a certain script. Changing this is not exactly an option.

Art
  • 11
  • 2
  • I dont think you can actually make third-party PHP code safe without using safe_mode. And even then it's a PIA to do so. In short, anyone that can control PHP code can breach your security. – ToBe Nov 06 '13 at 15:22

1 Answers1

0

You can try to use a prepend script which runs before each request

php_value auto_prepend_file prepend.php

In this script you can set the error handler:

<?php

set_error_handler('yourHandler');

/* EOF */

And give only this script the right to use the set_error_handler() function.

TiMESPLiNTER
  • 5,741
  • 2
  • 28
  • 64