Re: [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting

From:	Andrew Lyons	Date:	Fri, 11 Apr 2025 01:10:11 +0000
Subject:	Re: [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Thu, 10 Apr 2025 at 23:20, Tim Düsterhus <[email protected]> wrote:
> As I had said on GitHub before, but to put it onto the list for
> visibility:
>
> I'd rather see the value in php.ini-production being changed to
> Off
> to match the built-in default. see
> https://github.com/php/php-src/pull/18215#issuecomment-2768618516

Thanks Tim,

Can you please explain why you think the default should be to always
show arguments? I asked this question in the Pull Request too and
didn't really get a clear answer. I did try to address your concerns
in the RFC itself.

To summarise:
* you referenced a stackoverflow chat asking about the difference, and
noting that the defaults for production and development should
probably be standardised as much as possible;
* you noted that the correct solution would be to set display_errors
to Off; and
* you also noted that the framework's error handler should be properly
configured.

In response to these I have extended the RFC to cover making the
development INI file the same as the production INI and default value
by setting all of these to the 'On' value.

Regarding setting display_errors to Off, I do agree, but I feel that
this is a separate RFC. I've highlighted this as future scope in the
RFC and I've also noted that there is often still value in displaying
errors without the arguments. That is to say that I feel that
display_errors should default to Off, and exception_ignore_args should
default to On.

Having defaults which do not reveal arguments unless explicitly
configured to do so is a much safer option than just showing
everything.

I do agree that the framework's error handler should be properly
configured, but mistakes happen and it is better to fail in as safe a
way as possible. The reality is that a framework that is configuring
the error handling properly is also capable of calling
ini_set('zend.exception_ignore_args', 0); during its own
initialisation and being explicit about wanting to have that
information. Developers are also able to configure their PHP
environment with developer appropriate configuration.

Ultimately mistakes can, and do, happen. PHP should be configured with
safe defaults as standard.


   

Thread (12 messages)

• Andrew LyonsWed, 09 Apr 2025 02:00:04 +0000
  • Tim DüsterhusThu, 10 Apr 2025 15:19:57 +0000
    • Bob WeinandThu, 10 Apr 2025 18:53:24 +0000
      • Larry GarfieldThu, 10 Apr 2025 19:10:40 +0000
        • Kamil TekielaThu, 10 Apr 2025 20:03:24 +0000
          • Andrew LyonsFri, 11 Apr 2025 03:15:39 +0000
            • Kamil TekielaFri, 11 Apr 2025 11:11:46 +0000
        • Andrew LyonsFri, 11 Apr 2025 03:14:00 +0000
    • Andrew LyonsFri, 11 Apr 2025 01:10:11 +0000
  • Rowan Tommins [IMSoP]Sun, 13 Apr 2025 11:53:58 +0000
    • Kamil TekielaSun, 13 Apr 2025 14:07:46 +0000
      • Rowan Tommins [IMSoP]Sun, 13 Apr 2025 14:37:31 +0000