Error reporting

This has been a draft for a while, so things are probally outdated but I’m still wondering about this, so here goes…

I have been doing a lot more PHP lately then I have in a long while and that, plus the prospect of a pretty big project I will hopefully start on during the summer, made me think a bit about error reporting. I’m not talking about E_ALL vs E_, err, 0. I’m talking about what to tell the user when either (s)he or the application screws up.

As explaining is easier by example, here’s one: your application has a login section which grants access to who knows what. A user wants to log in, has the correct username but the wrong password. Do you simple tell them “invalid credentials” or is it something along the lines of “Sorry, $prettyusername, but the password you provided does not match the one in our database. You may try again[link to #login]. You can also recover your password[link to password recovery]”?
From where I stand, both have there up- and downsides. Just telling them they didn’t enter valid credentials isn’t anywhere near userfriendly, but if the user is someone who is trying to break into the application I don’t want to tell them anything.

So, what is more important, being friendly to your users or giving people that try to break in as little help as possible?

About Jory

Born in 1988, Software Engineer, Dutch.
This entry was posted in PHP, Programming. Bookmark the permalink.

2 Responses to Error reporting

  1. Dennis says:

    I usually just tell them “Could not log you in using those credentials” or something along those lines. Sure, it’s a bit more secure, but mainly I just find it less work and less resources. That’s the big reason.

  2. Ben Babcock says:

    I like to be as helpful as possible to the user and tell them exactly which part of their entries were in error. As a user who frequently forgets passwords to sites he doesn’t visit often, I find it unbelievably frustrating when I’m trying out user/password combos and the site’s just telling me, “Wrong answer. Wrong answer. Wrong answer” over and over without any details.

    If my application is secure, then this shouldn’t be a problem–I also like to limit the number of login attempts as well, so even if someone is trying to guess the password, they only have a certain number of tries and then the site will just stop processing the requests.

    Obviously if the problem is a technical one on the backend, like not being able to connect to the database, I wouldn’t give away key info. That’s what error logging is for–the error gets sent to me, and the user sees a pretty message that says something like, “Could not log in due to technical difficulties. Please stand by.”

    Lately I’ve been looking into try/catch blocks and exceptions, since those seem like powerful tools to use. I hope to work on a larger sort of site during the next few months and push the limits of my PHP skills, especially when it comes to application design like this. 😀

Leave a Reply

Your email address will not be published. Required fields are marked *