I have a line where I grab a database row with .get(field = ID). A normal user would always send an ID that exists in the database, but a hacker might not, and it would throw a DoesNotExist exception. Is it important to explicitly catch it or should I just leave the exception uncaught in that case? Either way, the hacker would not see any message so there is not any security risk either way.
I’m also wondering whether I should log this exception failing. Would be interested in hearing what you guys do as a general rule of thumb, and your justification for what you log/catch vs. what you let throw an uncaught exception.
The important part is in which context you are using this field. If you access the page through
/profile/[ID]I would display a User not found page. If you do something like thatI wouldn’t try to catch the error seperately.
All in all I save every error which can not be caused through normal user behaviour. Then I can take a look into my error log and can directly see where my site raises failures or whether hackers tried to find a security hole.
Afterwards I fix this undefined behaviour so that the error log is as empty as possible.