Hi!
Hacking on HEAD (after very long!), I notice we now spit out big stack traces to the webbrowser (along with a good user-readable error).
This is not the best, we should be defaulting to sane and safe: stack traces and other diagnostic stuff must go to the error log. This way, we
- Avoid revealing secrets to would-be attackers!
- Can still report warnings and errors without breaking our output ("what's that PHP warning doing in the middle of XHTML strict?")
- Can still report warnings and errors while writing output for non-tolerant (or non-display!) clients: for example WebDAV, AJAX and Web Services!
- Can see the error messages. Even in HTML, our errors may end hiding in a corner, or disguised by the colour scheme.
In other words, our current default belongs to the times of PHP v3
How can I switch this off? How can we change the defaults?
Edit: Note that Moodle is ignoring my settings:
# log_errors is set to true
# display_errors is set to false, and...
$CFG->debug=38911;
$CFG->debugdisplay=0;