I've been reading a couple of articles on website security and they recommend adding this code to your .htaccess file to prevent the display of PHP errors:
# supress php errors
php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off
php_value docref_root 0
php_value docref_ext 0
If I add this code directly into my .htaccess file I am given a 500 internal server error. What's wrong with it? Is this all deprecated stuff?
It does in fact depend on the PHP SAPI. This precise .htaccess syntax will only work with mod_php setups, not with CGI or FastCGI installations. In the latter case you would use a .user.ini (for PHP 5.3 onwards) instead.
Most of the options you have there can however be configured at runtime. Use ini_set() atop the invocation script:
ini_set("display_errors", 0);
Note that for _startup_errors it's obviously too late to be configured there. Also it's redundant to disable html_errors and the docref things if display_errors is already off.
ini_set("display_errors", 0); disable all php erros?
error_reporting(0); would have the same outcome.
For security, it's better not to display the errors but remember to make sure their logging is enabled, so you can see the errors happening in the site and trace their sources.
In .htaccess you can write:
php_flag display_errors off
php_flag log_errors on
php_flag track_errors on
php_value error_log /path/php_error_log
Also since you are using .htaccess, you can have your own custom error pages:
ErrorDocument 401 /error401.html
ErrorDocument 403 /error403.html
ErrorDocument 404 /error403.html
ErrorDocument 500 /error500.html
The best option is to disable the errors from php.ini, because in some cases if you do it vía .htaccess will give an Internal Server Error. ;)
