recaptcha icon indicating copy to clipboard operation
recaptcha copied to clipboard
verified publisher icon google

file_get_contents warnings suppression

Open blacktek opened this issue 1 year ago • 13 comments

Currently file_get_contents is called like this

$response = file_get_contents($this->siteVerifyUrl, false, $context);

Could it make sense to use the error suppression with @ to avoid random errors going to stdout?

We capture few errors per week like Failed to open stream: HTTP request failed! HTTP/1.1 503 Service Unavailable

blacktek avatar Dec 12 '24 07:12 blacktek

No, it doesn't make sense at all. You should handle your exceptions yourself.

garak avatar Feb 26 '25 07:02 garak

@garak I agree that you should handle the exceptions ourselves, which we do. But the default behaviour of file_get_contents is to also send a warning to stdout (and such output might break the response to the client)

blacktek avatar Feb 26 '25 07:02 blacktek

I get my errors into Sentry, so there's a way to do it.

garak avatar Feb 26 '25 07:02 garak

you get the errors in Sentry, but the output to the end customer will be broken, despite we catch the error. I make an example:

  1. ajax request to an endpoint checking the recaptcha
  2. there is a temporary error with "$response = file_get_contents($this->siteVerifyUrl, false, $context);" and we catch it and "try to" send a proper ajax/json response to the customer saying that there was a temporary error.

but due to the missing warning suppression the output sent back to the customer is corrupted (not a valid json anymore) due to PHP printing the warning in the output.

Is it more clear like this?

blacktek avatar Feb 26 '25 08:02 blacktek

The error output should never be active in production

garak avatar Feb 26 '25 09:02 garak

I agree @garak. It's only active in our production environment used by the internal staff

blacktek avatar Feb 26 '25 09:02 blacktek

And so in the end the one to blame for your wrong output is you, not this library.

garak avatar Feb 26 '25 20:02 garak

If you're happy with this answer and feel good to have defended a position, Yes, you're right.

blacktek avatar Feb 26 '25 20:02 blacktek

If you're happy with this answer and feel good to have defended a position, Yes, you're right.

I'm afraid that adding sarcasm and passive-aggressive messages won't help that much to defend your position (which is already hard to defend, in any case)

garak avatar Feb 28 '25 08:02 garak

Hi @garak I agree on the sarcasm. But you started with "And so in the end the one to blame for your wrong output is you, not this library."

The library output (not mine!) is caused by using the wrong approach to make requests, and is sending unmanaged output in case of warnings. e.g. this would not have happened if you were using curl. You're saying that it's our fault because in production we should keep error_display to no, but the principle is wrong in any case. The errors should be catched and thrown at the upper level. You can't justify that it's correct like this because it's not. A library should not write output to stdout/stderr

blacktek avatar Feb 28 '25 08:02 blacktek

Mine was not sarcasm, really. Libraries should never hide errors, because the way to manage errors is not the same for everyone, so the responsibility is (correctly) left to the developer. Moreover, hiding errors would prevent the developer from picking the correct way to handle them (see the aforementioned Sentry). Again, it's not the library that sends output, it's you.

garak avatar Feb 28 '25 08:02 garak

I've not said that you should hide errors. You should suppress the errors sent to the output (if you want to continue use file_get_contents), catch the error after the file_get_contents and throw the exception

blacktek avatar Feb 28 '25 08:02 blacktek

You can already suppress the error output by correctly configuring your environment. I agree that you should probably avoid using the Post request method entirely.

garak avatar Feb 28 '25 08:02 garak