Re: Re: Re: The art of error handling

Since you mentioned CGI (thus, CGI app writing), it is extremely important to return some error code and message to the user/browser (this is called "user-friendliness"). This is not so intuitive until you use CGI::Carp or better yet, you own personalized error message system which fits in with the theme of the rest of the site.

But don't be too friendly. Never tell anything about why an error happened. Just say "something broke, we already know about it", no matter what went wrong. Do not say "database error" or "invalid URL" or anything that reveals any kind of nature about why.

Yes, it's human nature to want to know (and to reveal), but it's a evil person's nature to use that information to reveal potential breakin paths. So don't. Just say no to "helpful error messages".

-- Randal L. Schwartz, Perl hacker

Comment on Re: Re: Re: The art of error handling

Replies are listed 'Best First'.
Re: Re: Re: Re: The art of error handling by Hot Pastrami (Monk) on Dec 19, 2000 at 22:04 UTC
Good point, VERY true with CGI apps, to use something like "...or die('Failed to open $file');" would reveal the path to a critical file to potential trouble-makers. Hot Pastrami	[reply]
Re: Re: Re: Re: The art of error handling by mirod (Canon) on Dec 19, 2000 at 22:08 UTC
Yep! A typical example, is to have the same error message when a user has an invalid login and when they used a legal login but their password is invalid. Don't let them know that they guessed a login.	[reply]