PHP display_errors vs log_errors: Key Differences
When configuring a PHP environment, managing how errors are handled
is crucial for both application debugging and security. This article
explains the fundamental differences between the
display_errors and log_errors directives in
PHP, detailing how they function, their security implications, and how
to configure them correctly for development and production
environments.
What is display_errors?
The display_errors directive determines whether PHP
error messages should be printed to the screen as part of the HTML
output.
- How it works: When enabled
(
display_errors = On), any notices, warnings, or fatal errors generated by your PHP code are rendered directly in the user’s web browser. - Primary Use Case: It is highly useful during local development because it provides immediate feedback on syntax errors and runtime issues without requiring you to check external files.
- Security Risk: You should never
enable
display_errorsin a production environment. Revealing raw database queries, file paths, and internal variable names exposes sensitive details that malicious actors can exploit to compromise your server.
What is log_errors?
The log_errors directive determines whether PHP error
messages should be recorded to a server log file rather than shown to
the end-user.
- How it works: When enabled
(
log_errors = On), PHP sends error reports to the server’s error log (such as Apache or Nginx logs) or to a specific file defined by theerror_logdirective. - Primary Use Case: This is the standard method for tracking application health in production. It allows developers to monitor background issues, failing API calls, and database connectivity problems without disrupting the user experience.
- Security Benefit: By logging errors privately, you keep technical details hidden from the public while maintaining a complete audit trail for troubleshooting.
Summary of Key Differences
| Feature | display_errors | log_errors |
|---|---|---|
| Output Destination | User’s web browser (HTML output) | Server log file (e.g.,
error.log) |
| User Experience | Disruptive; prints raw code errors to visitors | Invisible; users see a standard page or 500 error |
| Security Impact | High risk (exposes directory structures and database schemas) | Low risk (log files are kept secured on the server) |
| Recommended Environment | Development only | Development and Production |
Best Practice Configurations
To ensure a secure and efficient workflow, you should use different PHP configurations depending on where your code is running.
For Development Environments:
During development, you want maximum visibility to debug code quickly.
display_errors = On
log_errors = On
error_reporting = E_ALLFor Production Environments:
In production, security and user experience are the priorities. Hide errors from users but keep logging them internally.
display_errors = Off
log_errors = On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
error_log = /var/log/php/error.log