Preventing errors with include files

It is important to resolve all errors before deploying PHP pages on the Internet. Many hosting companies turn off error notifications, if you do not see an error message, this does not mean that everything is in order with the page. Pages that use server-side technologies, such as PHP, deal with a large number of unforeseen situations, so it is wise to create protection in the code by checking the values ​​before using them.

Check for variables

You should always use the isset () command to check for the existence of a variable that receives the value from the included files and enclose any code that uses it in the conditional statement.

You can set a variable to a default value as follows:

if (! isset ($ someVariable)) { $ someVariable = default value; }

The logical negation operator is used to verify that the variable $ someVariable has not been set. If the $ some variable does not exist, it is assigned a default value, which can then be used in the script. If the variable already exists, the code inside the conditional statement is skipped and the original value is used.   Check for the existence of a function or class Included files are often used to define custom functions or classes. Attempting to use a function or class that has not been defined causes a fatal error. To verify that a function is defined, pass the function name as a string to function_exists (). When passing a function name as a parameter to function_exists (), do not put brackets at the end of the function name. For example, you can verify that the doubleIt () function is defined as follows:

if (function_exists (‘doubleIt’)) { // use doubleIt () }

To verify that the class is defined, use the class_exists () function in the same way, passing a string containing the class name as an argument:

if (class_exists (‘MyClass’)) { // use MyClass }

If you intend to use a function or class that is not yet defined in the script, a more practical approach would be to include the file containing the definition of the given class or function using the conditional statement. For example, if the definition of the doubleIt () function is in a file called  

if (! function_exists (‘doubleIt’)) { require_once (‘includes /’); }

Temporarily enable error messages

Error messages are needed to help the developer. Unfortunately, displaying messages on a production site provides information that may be useful to an attacker, and that is why most hosting companies turn off error messages. Depending on the nature of the error, all you can see when you go to the page is a blank screen. There is little benefit from it when you need to find out what happened to pages that worked flawlessly in the local testing environment.

Fortunately, you can easily enable temporary output of error messages for a single page using the ini_set () function, which can be used to change some directives in php.ini in the PHP configuration file on the server.

Add the following code at the top of the problem page:

Upload the file to the remote server, and reload the page in the browser. You should see an error message on the screen. Correct the problem and check the page again. If the page displays correctly, remove the extra line of code.

If you still see a blank screen, it means that there is a syntax error in the PHP code. Using ini_set () does not work if parsing errors exist.

Most errors occur when developers forget to upload the include file to a remote server. Even if all files are downloaded, you may still receive an error message informing you of insufficient permissions to access the included file. This can happen in the following cases:

The server is in safe mode: If your hosting company supports PHP in limited mode, you will see a warning that the safe mode restrictions have entered into force. Run phpinfo () and check the value of safe_mode_include_dir in the Core section. All your included files should be stored in this place. Configure the site structure according to the settings. Safe mode is planned to be removed from the next version of PHP, so this problem is less common.
The open_basedir directive is installed: The open_basedir directive restricts the ability to include or open files. The directive should be effective only if the included file is outside the root directory of the web server. A warning is generated based on PHP allowed path lists. Move the included file to the allowed location, and adjust the paths of the include commands accordingly.

Handling Missing Included Files

Assuming that the included files work fine on the remote server, this is all the error checking that is required. However, if the remote server displays error messages, measures must be taken to suppress them if the included files are accidentally deleted or damaged.

A rather crude but effective way is to use the error management operator (@) in PHP, which suppresses the error message associated with the line of code on which the operator is used. An error management statement is placed at the beginning of a line or directly opposite a function or statement that can throw an error as follows:

 @ include (‘./ includes / random_image.php’);
The problem with the error management statement is that it hides errors instead of handling them. This is just one character, so it’s easy to forget where it was used. Therefore, you can spend a lot of time looking for errors in another part of the script. When using the error management operator, the @ sign should be the first thing to remove when fixing the problem.

Another disadvantage is that you need to use an error management statement on each line, which can cause an error message because the statement only affects the current line.

The best way to suppress error messages on a production site is to turn off the display_errors directive in the configuration from the web server. The most effective way is to change php.ini if ​​the hosting company allows you to change its parameters. In addition, if your server is running Apache and you have permission to change the configuration using the .htaccess file, you must add the following command to the .htaccess file in the server’s root folder:

 php_flag display_errors Off
If no option is available, add the following line at the top of any script that uses include files:

All the methods suggested earlier only suppress error messages if the included file cannot be found. If the page does not make sense without the included file, you should redirect the user to the error page if the included file is missing.

One way to redirect the user is to throw an exception as follows:

$ file = ‘includes /’;
if (file_exists ($ file) && is_readable ($ file)) {
include ($ file);
} else {
throw new Exception (“$ file can’t be found”);
When using code that can throw an exception, you must wrap it in a try block and create a catch block to handle the exception.