How not to throw errors - mike's web log

About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 35 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search

(Supports AND)

Include comments

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

Advertising can be described as the science of arresting human intelligence long enough to get money from it.

— Stephen Butler Leacock

[ view all quotations ]

Navigation

[ home ]

April 2025

25 Most-Visited Entries

1. THE most basic way to implement ASP.NET Razor security
2. Fun (or not) with noun stacks
3. Rendering HTML as HTML in Razor
4. Using the confirmation feature for ASP.NET Web Pages security
5. Changing the headlight on a 2010 Honda Shadow Phantom
6. RSS feed truncation: reader's choice
7. When in English, do like English
8. Constructing site URLs in ASP.NET Razor
9. Dude, where's my Razor API ref?
10. WebMatrix Beta 2 tip: why can't I use helpers?
11. Documenting ASP.NET Razor
12. Anniversaries in IT
13. Tech review tips and strategies (Part 1)
14. Moving a website in WebMatrix
15. Finding the right trousers
16. Blog update: Added a Facebook Like button
17. How Feynman learned to crack a safe
18. Blog feed fixed, oops
19. Moving the blog
20. Blog move successful (?)
21. Geopolitical concerns and the 4 fingers of ... change
22. Theory And Practice Of Editing New Yorker Articles [Selections]
23. Each unique different kind of its own
24. Well, THAT happened
25. SME + training doth not (necessarily) a writer make

Categories

RSS
RSS aspnet
RSS blog
RSS books
RSS editing
RSS family
RSS Friday words
RSS FridayFun
RSS funny
RSS general
RSS history
RSS house
RSS language
RSS motorcycles
RSS movies
RSS MS Word
RSS music
RSS personal
RSS politics
RSS readings
RSS roundup
RSS seattle
RSS teaching
RSS technology
RSS travel
RSS ukulele
RSS webmatrix
RSS whidbey
RSS work
RSS writing

Contact Me

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 4/22/2025

Totals
Posts - 2658
Comments - 2678
Hits - 2,739,004

Averages
Entries/day - 0.33
Comments/entry - 1.01
Hits/day - 344

Updated every 30 minutes. Last: 11:03 AM Pacific

How not to throw errors

Wednesday, 3 August 2005 11:17 PM

I was just visiting the Linguistic Society of America's Web site, where they have a feature named Ask a Linguist. I went to browse their questions, and got the following error. (Detail here, click to see full screen.)

Wow, how many sins are commited here? Let us enumerate:

Exposing the path, which gives us a nice picture of the server folder structure.
Possibly (?) exposing the name of the server (ling0406).
Exposing the SQL query, which tells us the schema for the SQL table in question.
Exposing a stack trace, which tells me among other things that they're using an Oracle server.

Did I miss any?

Almost needless to say, you shouldn't show this kind of stuff to users. It's ugly. And more to the point, this is good information for those famous malicious users. See (again) Steve Friedl's writeup of how he cracked a site with SQL injection, and for which one task was to guess about the schema of SQL tables.

In ASP.NET, you should always set customErrors in the Web.config file to remoteOnly. That way you can see error information when testing on localhost, but no errors (and certainly nothing this, um, informative) are displayed to users. Something like this:

<customErrors mode="RemoteOnly" defaultRedirect="SiteError.aspx" />

[categories] aspnet, technology

~~comment~~ | link