in reply to Re: Essential CGI Security Practices
in thread Essential CGI Security Practices

I know I always find it incredibly frustrating to get meaningless fluff back as error messages from a website.

Would it be less frustrating to get, "Error committing to table: incorrect number of fields"?

For errors the use can maybe fix (e.g., username and password don't match), I try to give a meaningful and complete explanation of the problem. (At least, in theory that's what I intend to try to do.) For internal errors, I like to do something like the following:

mydie("Error Condition One in Section Gimmel");

My mydie subroutine starts out by explaining that there is some internal problem, that it is probably not the user's fault, that it's something the webmaster needs to fix, and that he might be able to do so more easily given the technical error code below. Then I give contact info for whoever maintains the script, and print out the string that was passed by the caller, labelled as a Technical Error Code. (The important thing about this string is that it is unique, and I can grep for it to find exactly where the problem was encountered.) All of this can be nicely formatted in a <div class=\"error\">...</div> so that the site CSS can easily style it as desired. This is MUCH nicer to the user than "Internal Server Error", but it doesn't give a potential malicious user a great deal of information, other than how to contact the admin. (Then you just have to make sure this person is not susceptible to social engineering... but you have to do that anyway)

$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}} split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/