This has been a draft for a while, so things are probally outdated but I’m still wondering about this, so here goes…
I have been doing a lot more PHP lately then I have in a long while and that, plus the prospect of a pretty big project I will hopefully start on during the summer, made me think a bit about error reporting. I’m not talking about E_ALL vs E_, err, 0. I’m talking about what to tell the user when either (s)he or the application screws up.
As explaining is easier by example, here’s one: your application has a login section which grants access to who knows what. A user wants to log in, has the correct username but the wrong password. Do you simple tell them “invalid credentials” or is it something along the lines of “Sorry, $prettyusername, but the password you provided does not match the one in our database. You may try again[link to #login]. You can also recover your password[link to password recovery]”?
From where I stand, both have there up- and downsides. Just telling them they didn’t enter valid credentials isn’t anywhere near userfriendly, but if the user is someone who is trying to break into the application I don’t want to tell them anything.
So, what is more important, being friendly to your users or giving people that try to break in as little help as possible?