PHP error_reporting(0) false positive

The sonar clound fix recommends this:

According to PHP Logging Basics production, the error reporting should be set to “minimum error reporting level” which is correct, but the “recommended value” is incorrect:

Sonar cloud just copied this recommend value.

But in PHP, the minimum error reporting level is 0, and not E_ALL.

// Turn off all error reporting
0 = Turn off all error reporting
E_ALL = Report all PHP errors
-1 = Report all PHP errors

This means the option E_ALL and -1 is only for debug mode and NOT for production because it may output all server and internal error details.

See here: error-reporting

Would it be possible to fix this insecure recommendation in Sonar lint?

Hello Daniel. Welcome to the community and thanks a lot for the report!

I have created a ticket to fix this issue (SONARPHP-1234) and a pull request to update the rule description.

1 Like

The issue was solved, so it should likely be included in the next release (for SonarQube and SonarCloud too).

1 Like

Awesome! Thank you :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.