in reply to Does fatalsToBrowser give too much information to a cracker?
For logging in type applications, I dont even relay explicitly which out of username or password is incorrect. just tell the user to enter it again.
If you have a production application that may fail, I personally dont see any good in reporting the error to a user, and have the user feeback the error...
I think better style may be to write a die handler, issue a generic page, log the error, and send an alert via pager/email/whatever suits.
Even tho the user may be faced with a nondescript page, which may be frustrating, they wont be faced with an "interpreter" level error message (less professional). Lesser of two evils...
I generally program by the philoposphy, hide all errors, and report back generic stuff only. No version numbers, no OS / external app error messages, nothing. the user is there to use the application, not understand the engine.
Draconian, yes.
|
|---|