Question: Why is it important from a security perspective to never display PHP error messages directly to the end user, yet always log them?
1. Error messages will contain sensitive session information
session information are not shown in a error message.
2. Error messages can contain cross site scripting attacks
xss attack is not possible with such error message.
3. Security risks involved in logging are handled by PHP
4. Error messages give the perception of insecurity to the user
5. Error messages can contain data useful to a potential attacker
See the book OpenCart 1.4 Template Design Cookbook.
See the book Joomla Mobile Development Beginners Guide
List of my works:
- Product Based Quantity Wise Shipping: Find it here.
- OpenSSLCOMMERZ: integrate SSLCOMMERZ with opencart: Find it here.
- Fine Search v.1.0 - Improves Opencart search feature to find relevant: Find it here.
- Opensweetcaptcha - An easy way to generate attractive captcha for your system!: Find it here.
- Custom Field Product - add unlimited custom fields to the product form: Find it here.
- Formcaptcha - add captcha on the register page: Find it here.