PHP Error Handling

This is one of a (hopefully) continuing series of posts on programming, mostly PHP/MySQL and a bit of JavaScript. It’s mostly for my own use – since this is not a widely-read blog. But it may be useful for anyone that stumbles into this place.

This short post is about error handling in PHP. You’ll find lots of other info on error handling, how to do it, what it is, etc. But here’s the code that I use. It’s simple, and will catch production-type errors, where you don’t want people to see the error on your nice web site.

I’m not going to explain every line of the code, you can ask the googles if you need help on anything. But this works for me. If there is a severe error, one that would cause cryptic error message on the web site, this will catch the error and redirect the user back to your main page. It will also email error information to you. It’s very simplistic, but it will get the job done. Add information unique to your site as you need.

Simple Error Handling
 
  1. // simple error trapping. Change the email address as needed for your site.
  2. // Copyright 2017 by Rick Hellewell and www.Cellarweb.com (CellarWeb.com LLC) and www.SecurityDawg.com) All Rights Reserved.</code>
  3. // Shared via CCO license.
  4. set_error_handler("myErrorHandler");
  5. function myErrorHandler($errno, $errstr, $errfile, $errline) {
  6. switch ($errno) {
  7. case E_NOTICE :
  8. case E_USER_NOTICE :
  9. $errors = "Notice" ;
  10. return ;
  11. break ;
  12. case E_WARNING :
  13. case E_USER_WARNING :
  14. $errors = "Warning" ;
  15. break ;
  16. case E_ERROR :
  17. case E_USER_ERROR :
  18. $errors = "Fatal Error" ;
  19. break ;
  20. default :
  21. $errors = "Unknown" ;
  22. break ;
  23. }
  24. $xmsg = sprintf("PHP %s: %s in %s on line %d", $errors, $errstr, $errfile, $errline);
  25. xerror_log( $xmsg) ;
  26. mail(youremailaddress@domain.com', 'Web Site Program Error', $xmsg);
  27. header("Location: index.php") ;
  28. die() ;
  29. return true ;
  30. }

And that’s it. Add it to your ‘includes’ page (the code included on all parts of your site), after setting your email address, and changing the Subject in the mail() command.

Design Changes

I spent a bit of time making a few minor changes to this place. Among them, a new logo up there.

There was also some tweaking of the ‘responsive’ styling of this place. A bit of new CSS code here and there.

Not that I have any special graphic skills. But the ‘look’ is a bit cleaner than before, I think.

Database Cleanup for Security

Several of my web sites use custom databases. Some of those web sites are gone (on purpose). But the databases were still there.

So I spent a bit of time deleting some unused databases and database users. It’s a security thing: there might be some personal information on some of the databases, and deleting unused data is a ‘good thing’.

Database security is important. Here are a few things to think about:

  • Do you have unused databases anywhere?
  • Is there public/personal information in the data tables?
  • Have you secured the user rights to those databases — not giving full access to a user out of convenience?
  • Do you have backup copies of the databases?
  • Are databases that contain personal information encrypted?

Any other considerations? Let me know in the comments.

Domain Responsibility

Another site that I look at often had a complaint from a reader about losing their domain name when it expired and wasn’t renewed. The reader said that they didn’t get the renewal notices, the automatic renewal didn’t work, and they had to pay quite a bit of money to get it back.

When a domain expires, it reverts back to the registrar (in this case GoDaddy, but this is common practice). The registrar can then do what they want with the domain name, often making it available for anyone else at a premium cost. If the original owner wants to get it back, it will cost much more than the original domain cost. Again, all of this is common practice among just about any domain registrar.

The owner claimed that GoDaddy didn’t notify them of the expiration. The Security Dawg has just about all of our domains registered through GoDaddy. That puts me on their mailing list. I get several emails a month from GoDaddy about their latest promotions, in addition to renewal notices.

I am the owner of record for those domains. You are required to have a valid email address (and other contact information) for all domains you own. And, once a year (or more often), you will get a notice from the domain registrar about verifying your contact information.

The reader claimed that they didn’t get any of those notices. I find that difficult to believe, when I get multiple emails a month from GoDaddy. I suspect that those notification emails were either ignored, or got routed to the person’s spam folder.

The reader claimed that they had the domain set up for auto-renewal, using an on-file credit card. If the renewal didn’t work, as when the credit card expired or was invalid, the registrar would have sent emails about that. That has happened to me: I have let a few domain names purposely expire, and I get multiple notices for renewal along with notices about expiration.

So the reader was quite incensed when they realized their web site with that domain name was no longer working. No more email (all email went through the same domain name). And then they had to pay a big premium to get the domain back.

They thought that was quite unfair.

The Security Dawg disagrees. If you are the owner a domain name (for any reason), then you have a responsbility to protect that domain name.

  • You need to make sure that all contact information is proper for the domain name
  • You need to make sure that the email addresses associated with that domain name work properly.
  • You need to ensure that the billing information (credit card number) is current.
  • You need to ensure that you get emails from the registrar – that they don’t get into your spam folder.

If the domain name is important to your business or for personal use, then you have a responsibility to ensure that you properly manage that domain name. This applies to domain name registrars, web site hosting companies, your web site code (do you have backup copies of your web site?) the whole works.

If you fail to be responsible, then you can’t complain when your domain name goes away.

The domain name belongs to you (and maybe your business). Treat it like any other valuable asset.

If you own or manage a domain, you might consider verifying that all your contact information is current. And keep an eye on expiration dates. This applies to web site hosting. And backups – you should be able to reconstruct your web site if something goes wrong (that’s another post).

Changing WordPress Admin Email Settings

(for my notes, but useful information)

This code block will set the email name and address that is used by WordPress admininstrative emails, like password reset requests or other notifications. Change the values as shown; the ‘notes’ explain everything.

<?php

/* 
change the from name/email on all site emails
 based on http://premium.wpmudev.org/blog/wordpress-email-settings/
        - by Rick Hellewell, Cellarweb.com, 21 Jan 2015
        - Copyright (c) 2015 by Rick Hellewell, Cellarweb.com
        
    SETUP/INSTALLATION
        - change two variables for the name and email address to be used in site/admin emails
        - place this entire code in child theme functions.php
            - we do not recommend changing the functions.php file in your theme, as a theme
                update will eliminate this additional code
                
    NOTES:
        - note that the email address should be valid and match your site domain
            or emails may end up in the recipient's spam folder
        - the 'from-email' is set in the Options, General screen, and stored in the admin_email
            row in the options table
        - there is no corresponding field in the options table for 'from_name', so we use the
            wp_mail_from_name filter to add our 'from_name' value to be used in admin email, 
            rather than the default 'WordPress' that is built into the pluggable.php core file

*/
// --------------------------------------------------------------------------------------
$from_name = 'PUT YOUR NAME HERE';
$from_email = 'PUT THE EMAIL ADDRESS HERE';

function set_email_name($from_name) {
    return $from_name;
}
function set_email_email($from_email) {
    return $from_email;
}
    
    add_filter("wp_mail_from_name", "set_email_name",9);
    add_filter("wp_mail_from", "set_email_email",9);
// --------------------------------------------------------------------------------------

	

Gmail Password Breach? Not !

Ignore all the breathless media panic about Gmail passwords being exposed. See the Google Security Blog here: http://googleonlinesecurity.blogspot.com/2014/09/cleaning-up-after-password-dumps.html

Do follow the recommendations in the Google Blog: enable two-factor authentication, use a strong password, don’t use the same password, etc.

The only site to check if your email address has been ‘found’ is https://haveibeenpwned.com/ . This site is valid and honest.

The Internet Never Forgets

I had someone call me about their web site ‘disappearing’. All that was there was a ‘Parked” page from the hosting place. It wasn’t a very important site, just a few pages with some pictures, and a few custom products that he sold. No blog, no custom programs, no databases, etc. And he didn’t have a backup of the pages. But he still wanted the site back. So I took a look at things.

I looked at the domain registration, and the domain name was still registered to you, with an expiration date that had not passed. The nameservers pointed to the web hosting place, which was as expected.

With the credentials for the hosting place in hand, I took a look at his hosting account. He had apparently used the hosting place’s ‘web creator’ to create his web pages. I couldn’t find any files anywhere. Apparently, the ‘web creator’ program stored them in a place I couldn’t get to. And it looked like he let the site hosting service expire. So since there was no content, the ‘parked’ page is now seen at the site.

The site would need to be rebuilt. And he didn’t have the source files for the site; but he wanted the site back up quickly.

So I turned to the Internet’s “WayBack Machine” (www.archive.org) to see if they had a cached copy of the site. They did, so I looked at the latest version they had (March 29, 2014). I opened up the main site page, grabbed the source code for each page (with a View Source), and plugged it into my HTML editor (I use Adobe Dreamweaver, but any HTML editor would have worked). I also copied the graphic images to my local computer. I did this for all of the pages that the WayBack Machine had (the entire site). Luckily, the site was not that complex (about 10 pages plus the graphics files) and a simple order form.

Then, I went into the Dreamweaver editor, adjusted the images links, rearranged the image files into a separate folder (the CF editor adjusted the HTML code for those links automatically). I then used the Dreamweaver ‘link checker’ to ensure that all links/images/etc were valid. All was well with my local copy of the site.

He wasn’t too happy with the hosting place (a small operation), so we set up an account at JustHost (disclosure: it’s what I use, and I‘ve been happy with it; that link gives me a small commission on new accounts at the same price as their main link). Since the domain name was registered somewhere else, I went through the somewhat convoluted process of transferring the domain name to the new JustHost account. I also set up the ‘nameservers’ for the domain to point to the new JustHost account. Then I transferred the files there. I then checked the pages and links at the remote (JustHost location), and the site pages worked properly.

After a short propagation delay (while all the nameservers in the world get the updated information), the site was active and visible.

The lesson here? A few points to consider:

  •  Don’t Panic
  •  If you have a web site hosted somewhere, pay attention to any notices about renewing services there (I am assuming that a notice from the hosting place may have gotten lost in his emails)
  • If the site is truly ‘gone’ from where it should be, Don’t Panic (again)
  • Use the “WayBack Machine” to find your site. It will probably be there. Perhaps not the latest version, but a place to start.
  • Use the techniques described above to rebuild your site and place it on your hosting location.
  • Backups of your site to an alternate location are always a good idea. That includes any databases used and any custom programs. For instance, I use a popular plugin to email me a daily backup this WordPress site’s database.
  • Don’t Panic

The recovery technique worked, as evidenced by the reappearance of his web site. There may be some minor adjustments needed, and perhaps some content updated, and I set up a procedure for him to store site backups at an alternate location. But the technique will work.

The Internet Never Forgets.

 

Keeping Clean

If your computer is plagued by popups and other junk, you may have wondered how it got that way. Lots of different reasons, but here is what I do to keep my computer clean.

  • Whenever you search for something with any search engine, the first few results are going to be paid ads. Those results may look like what you want, but usually aren’t. I never click on the paid results on any search. They probably aren’t what you want anyhow.
  • Many times, those paid results are going to cause problems. For instance, if you search for ‘fixing something’, the ‘fixes’ you get when you click on a paid ad are probably going to make things worse. You’ll get a pitch for a ‘easy and free’ program to help ‘fix’ your problem. Just don’t go there. Ignore the paid results, and carefully look at the non-paid results to get what you were looking for.
  • Never click on a pop-up, no matter where it is. They are just trouble. Especially the ones that claim to be updates for some program (‘click here for an updated version of whatever to view this page’). Just don’t click.
  • Now there are times when a valid popup will ask you to update things. An example is a Windows update, or maybe one from your browser. Proceed carefully, Grasshopper. Windows Updates are good, and you should do them when they ask. But make sure that the update is for something you have, or is from the actual vendor site, not one that looks like it.
  • Wherever you go, tread carefully. Even a mainstream news site might cause a popup asking you to do something. Again, just say no.
  • If you need to install a program, make sure that you install it from the vendor’s actual site, not one that looks like it. And beware of add-in programs that come with an update. Adobe is a place where you will get additional programs when you try to install an update. Watch for those pre-selected check boxes for additional browser plugins or other programs. If you need to get an Adobe update, then do it, but don’t get all the extra stuff they try to force on you.

We’ve had other posts on how to keep your computer safe. Here’s the quick list.

  • Do the Windows Updates.
  • Make sure your antivirus is current.
  • Install Windows Security Essentials anti-virus program (pre-Windows 8; it’s built into Windows 8).
  • Install the free Personal Software Inspector program from Secunia to keep your other programs current.
  • Uninstall Java (unless you are sure that you need it).
  • Don’t use the same password on multiple sites.
  • Make sure your password is complex and hard to guess.
  • Don’t do financial transactions at a public Wi-Fi spot.
  • Be careful of public WiFi spots.
  • Don’t click on popups.
  • Do backups (I use an automated backup-to-the-cloud service – Carbonite).

With a bit of effort, you can keep your computer clean. And make your browsing life much simpler.

iDevice Ransom

The reports of ‘ransom’ locking of iDevices from Australia are starting to spread to other countries, including the US. The process involves locking your phone as if you had reported it stolen. The attacker changes the access PIN on your phone, and asks for $100 (US/Euro) to unlock.

One clear explanation is here http://www.symantec.com/connect/blogs/apple-ids-compromised-iphones-ipads-and-macs-locked-held-ransom .

Any iDevice user (not just iPhone) should immediately change the password on their Apple account, and also change the access lock code on their device. The above article has good advice on what to do to prevent the attack.

Heartbleed Thoughts – and a Phishing Warning

There is lots of noise on the interwebs about the Heartbleed vulnerability. Here’s my thoughts on the whole thing, in no particular order:>

  •  This vulnerability has been around for two years, I believe. And there is no logging available that would tell you that you or a web site got attacked.
  •  The Internet Storm Center (isc.sans.org) guys did raise their alert level to yellow, and strongly encouraged all site administrators to check and fix. But that applies to site administrators, not to “Aunt Minnie”.
  •  Media reports that tell you you must change all your passwords immediately are overblown. Although a good idea to reset passwords occasionally, it might be better to wait on that for a few days. Of course, when you reset your password, don’t use the same one as on other sites.
  •  ‘Watchful Waiting’ is probably the best action for individual users to take now. People should watch their financial accounts, perhaps change their passwords in a few days (which will let sites remediate as needed). And make sure that you don’t share credentials (user/pass) between sites.
  •  it is probably good that site owners make sure their sites are not vulnerable, and patch accordingly.

But there is some excitability going on, and perhaps the risk to the user is not as great as the media would make it seem.

Here’s what I think:  *If* a site was vulnerable, and *if* you logged into that system, and *if* an evildoer did the attack after you logged in, then you *might* have your credentials stolen. And *if* you changed your password on a vulnerable site during an attack, your credentials *might* be compromised. But that is a lot of *if’s* to worry about.

Although the “Heartbleed” thing is a risk, my view is “Watchful Waiting” is a good idea, but “Don’t Panic”.

Now, you may start seeing some “Heartbleed Phishing” emails, with some dire warnings and helpful links for you to click on to ‘help’ you reset your password. In general, it is not a good idea to click on a link in an email, even if it looks legitimate. If you want to reset your password on a site, then go there by manually typing in the site link, logging in, and then change your password. Don’t click on those helpful links in any email.

In the meantime, since you are practicing Safe Computing (see here for some hints). Don’t Panic; just be careful out there.