Home/ Questions/Q 4244678
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T03:44:23+00:00

I admit the title is mostly a catch 22, but it’s entirely relevant, so

  • 0

I admit the title is mostly a catch 22, but it’s entirely relevant, so please bear with me for a while…

Background

As some may know, I’m working on a PHP framework whose major selling point is that of bridging functionality between different CMSes/systems.
From a developer perspective, there’s an extensive error handling and logging mechanism.
Right now, there are two settings, DEBUG_MODE and DEBUG_VERBOSE, which control debug output.

The mode describes the medium and verbose controls the amount of detail.
To make it short, there’s a mode called “console” which basically dumps debug info into the javascript console (which is now available in a major web browser near you).

The Issue

This [debug system] works great for development servers, but you absolutely cannot use it on a production one since debug details (which include DB credentials etc) get published publicly. And in all honesty, who ever migrated from a dev. to a prod. server flawlessly each time?

Solutions

Therefore, I’ve been trying to figure out a way to fix this. Among my proposed solutions are:

  • Having a setting which tells the framework to enable logging only if the request comes from a certain IP. The security issues for this are quite obvious (IP spoofing among others).
  • Having a setting which contains PHP expression(code) that gets eval’d and it’s return used as a yes/no. The best part is that the framework installed may suggest CMS-specific expressions, eg:
    • WordPress: current_user_can('manage_options')
    • Joomla: $user=&JFactory::getUser() && ($user->usertype=='Super Administrator') || ($user->usertype=='Administrator')
    • Custom: $_SERVER['REMOTE_ADDR']=='123.124.125.126'
  • These are among the two, I’m eager to hear out more suggestions.

So, do you think eval() should be up to it? I’ll ensure it still performs well by only doing this once per page load/request.

Clarification

if(DEBUG_MODE!='none')echo 'Debug'; // this is how it is now
if(DEBUG_MODE!='none' && $USER_CONDITION)echo 'Debug'; // this is how it should be

The $USER_CONDITON allows stuff such as running is_admin() to allow all admins to see debug info, or, getUser()->id==45 to enable it for a specific user. Or by IP, or whatever.

enter image description here

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Go ahead. It’s evident that you understand the hypothetical security implications. In your case it’s just important to tell the target user base about it.

    As for the practicability of your approach, there’s no discussion really. You need variable authentication logic and can’t hardwire it to one specific environment/cms runtime.

    The only concern you see is about performance. That’s baloney. Not an issue. The presence of eval is what discerns scripting languages from compiled languages. If it’s available you can not only use it, but can be sure that it’s not going to be slow because a compiler+linker run is required behind the scenes. PHP takes some time with initializing its tokenizer and parser, but parsing itself is surprisingly quick.

    And lastly, avoid such question titles on SO. ;} Or at the very least talk about create_function please.

    • 0