Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
Logging in PHP is important. In this blog, you'll learn some basics for PHP logging You'll get the answers to common questions, including those around error logging in PHP.
PHP logs are generated when error log messages are created manually or automatically. There are some default settings for logging in PHP. You can also configure PHP log settings to log specific error types.
Logging in PHP is important to understand, analyze, and troubleshoot your PHP applications.
By default, PHP doesn't log errors. So, you must configure the PHP log in order to access it.
To configure PHP logs, you'll need to:
Setting up the PHP log is an important step. It allows you to find out where errors have occurred in your PHP code.
PHP logging can be complicated. Here, we answer some questions we received in a recent webinar. These questions come from a recent webinar on PHP application coding best practices.
Is there a way to rotate the logger? It’s good to have log, but it’s also important to group them (by day for example).
Yes, full implementation of a logging extension, like PHP Monolog, or a logging component of a framework will have all that capability built-in. This is a suggested use rather than the simple Logger class component introduced in the webinar. Then, it's a matter of configuration. It's important to have a way to segregate the log entries by severity.
Why no bound parameter examples?
There were bound parameters when simulating post and get payloads in the examples in the webinar. If the intent is to use an input parameter in a log entry, that is easy to do just add it to the built log entry string.
If you have multiple websites on a virtual server, can you setup different php.ini files per a website?
By default, a web server parses a given php.ini configuration on startup. That configuration is then set for run time for the number of hosts registered with the web server.
The Apache web server provides a custom configuration capability in a file called ".htaccess". On a directory by directory basis, you can tailor the Apache behavior when parsing the directory code contents. The .htaccess file can also configure the PHP engine, to a limited degree, on a directory by directory basis. There's also a .user.ini file, also directory-specific, that tailors the PHP parser behavior based on the code found in that directory.
Why do we store the log in /var/www/rockets? The website is accessible from *:80. I think someone can access it via *:80/log.
Part of the effort of configuring a website includes a restriction on path access to the source code, log, cache content, etc.
The web server has a configuration file ".htaccess", that is used to restrict and control web server access to public resources only — not source code and log content. Then, when properly configured, it is not possible to access restricted content.
You didn’t mention anything about altering the username, especially not using "admin." Would you agree this is a best practice?
Absolutely. This can help to thwart attacks targeting those names.
Can you use ctype_alnum method in the place of real escape string?
Using ctype_alnum() is only one way to validate input. There are multiple ways of doing that based on the type of input received.
The real escape mechanism is but one way to "escape" input date before directing to output. The second prong approach to dealing with properly handling input.
The htmlspecialchars() function provides an adequate escaping mechanism for most output.
If you're using the PDO library and executing read, write, update, and delete operations on a database (which is output), then the PDO library provides that mechanism automatically.
What is Access Control List (ACL) as you mentioned in one of the code samples?
ACL is an acronym for describing a mechanism to control access to system resources.
For example, if a request for an image is made, should the user, by role, have access to that image? Or, should the user requesting a database operation, or any other type of state change, be able to do that? That's what an ACL provides. It's the ability to define roles and resources the roles have access to. This is one of those critically important security components missing in many web applications.
Error logging in PHP can be tricky. Here are some of the questions we've received on it.
What is a PHP error level?
PHP has the capability of reporting many different types of errors, or error levels. The term "error" used in this context, is a generic reference to the grouping of error types. This includes non-terminal warnings and notices. Some examples are listed here. Some errors are thrown by the parser, some by the code as directed by the developer.
Isn’t it easier to add an error-handler function to the PHP framework, instead of setting up a virtual host?
These are two different things:
Web server access and error logging are, by default, centralized to a location relative to the web server installation. PHP error logging is also centralized if just enabled in the configuration.
When enabled, PHP logging is directed to the Linux syslog by default. However, grouping PHP error logging, along with Linux system log entries, into the overall Linux syslog creates a bunch of log content. This can be difficult to manage and parse.
Most frameworks will provide the logging handler mechanism and target the logging to the Linux syslog as a default. That's okay if you really want to parse and manage all that log content. It's up to you to determine what your needs require. For sure, logging is a challenge to set up, manage, and parse.
You can think of the Logger class, as shown in the webinar, as a simplified version of more comprehensive tooling for that purpose. The virtual host configuration, as shown in the webinar, pertains to web server access and error logging, and directs it to a dedicated host location. This segregates web server logging for a dedicated web application. It's best when hosting multiple sites on a given host. But, keep in mind, by directing the web server access and error logging to a dedicated host location, and creating a dedicated location for PHP error logging makes it much easier to parse and manage the types of log entries being made.
How is the E_USER_ERROR used?
This error is the same as the system E_ERROR, except thrown by a call to the trigger_error() function within code. E_USER* errors are a result of this trigger function.
Security in PHP is important. And it starts with your code.
Every day, millions of pieces of sensitive data, both personal and business related, are processed by web applications. And every day, applications are at risk of being exposed to new PHP security threats that make that sensitive data vulnerable to attack. With the cost of data breaches averaging over $3.8M and mean time to identify attacks topping 190 days, it’s critical to ensure the security and compliance of your PHP applications and stacks.
Watch the on-demand webinar below to learn more best practices for PHP coding.
Coding in PHP is much easier with Zend. You can use Zend Server to improve web application deployment, debugging, and monitoring.
See for yourself how Zend Server will help you accelerate deployments and innovate more.
Try Zend Server