0

All my pages have a shutdown function that sends me an email with the page parameters. I have used it to fix problems on several pages. But one page keeps crashing but does not show any calling parameters. If I call the page with no parameters, it works fine. I have tried following all the links on the page and they do not cause any errors. In writing this post, I realize that the page allows a file to be uploaded. Perhaps someone is uploading some malicious file that causes the page to crash. The caller is in India, airtelbroadband.in. But if that were the case, the shutdown function would pass the file in my email because it is passed to the same page as a POST.

Here is the call to my shutdown function

register_shutdown_function('shutdown', $_SERVER['REQUEST_URI'],file_get_contents("php://input"));
error_reporting(E_ERROR);

And here is the shutdown function

    function shutdown($pagename,$post){
       $last_error = error_get_last();
       if($last_error['type'] === E_ERROR){
          mail ("mynames@gmail.com", "ERROR REPORT", "https:/mydomain.com$pagename post->$post<-","From: " . "ErrorReport@mydomain.com");
    }   
}

and here is the content of the email I get:

https:/mydomain.com/gpx_waypoint_edit.php post-><-

Nothing useful. When this function has worked, I get the parameters that crash a page in my email and I am able to fix them. This is the only page that crashes and I get no hints.

I mentioned that this page can upload a file. Here is the code that does the upload. Are there checks I should put in here?

<form enctype='multipart/form-data' action="<?echo $PHP_SELF?>" method='post'>
   <input type='hidden' name='MAX_FILE_SIZE' value='100000' />
   <input name="toProcess" type="file"><br>
   Number of New Waypoints <input type="text" name="lines" size="5"><br>
   <input type='submit' value='Submit' />
</form>
<?
  if (is_uploaded_file($_FILES['toProcess']['tmp_name'])) $filename = $_FILES['toProcess']['tmp_name'];      
 else  $filename == "";
?>

One final note. I do not run a SQL database so all the injection attacks that I get can't do much. I just sent them a 403 message so they can't do anything.

Basically I can't figure out why this page is crashing. If anyone can help my understanding I would appreciate it.

Allen Edwards
  • 1,488
  • 1
  • 27
  • 44
  • Configure PHP to log errors to a file - see https://stackify.com/php-error-logs-guide/ . Then when you get the email you can check the error log. – ADyson May 05 '21 at 15:06
  • `would pass the file in my email` ...not necessarily. PHP processes multi-part requests differently. As you know, the file data goes into $_FILES not into the regular POST variables. – ADyson May 05 '21 at 15:08
  • I should have said that I would get the file in my email if my code was crashing. If HTML is crashing and the call to PHP_SELF is not made because the file crashes it, then I agree I would not get the file. But if the file is uploaded, then I would expect it to be in the POST data. – Allen Edwards May 05 '21 at 15:35
  • In terms of the error log to a file, I am trying to do that with the email. I don't gen enough errors to create and manage a log. The email gives me instant notification and I like that. If there is more I should put in the email in terms of error logging I can do that. What would that be? I know this is an E-ERROR and I know nothing was passed to the page in GET or POST. What else should I log? – Allen Edwards May 05 '21 at 15:37
  • `if html is crashing and the call to php_self is not made because the file crashes it`...html can't crash anything. – ADyson May 05 '21 at 15:38
  • `In terms of the error log to a file, I am trying to do that with the email`...not really as far as I can see - the mail only contains the URL and post values. It doesn't contain the actual error message I don't think? PHP can automatically log the error, you don't really have to "maintain" that, just configure it. – ADyson May 05 '21 at 15:39
  • `if the file is uploaded, then I would expect it to be in the POST data`...have you actually experienced that happen already? I'm not sure you should necessarily expect this, for the reasons I already highlighted – ADyson May 05 '21 at 15:40
  • @ADyson Thanks for the comments. I appreciate it. I will add the error log – Allen Edwards May 05 '21 at 16:27
  • And you could also include a var_dump of $last_error in the email – ADyson May 05 '21 at 16:30
  • @ADyson I added this to my email $message .= "\n" . print_r( $last_error, true ); Worked great. This is a solution. Please post as answer and I will accept it. It took me several false starts to figure out hot to include the array variables in the email. The most obvious, $last_error['message'], gave me a 500 error. Not sure why but doesn't matter as the print_r worked. – Allen Edwards May 05 '21 at 17:07
  • `Not sure why`... because you tried to include an array directly in a string, and PHP can't process that - it doesn't know how you would want it to be displayed. – ADyson May 05 '21 at 18:14

1 Answers1

1

You're not really getting the full picture of what is happening in your code because your email doesn't include the actual exception message, and you're not logging it either.

You could include the error in the email something like this:

$message .= "\n" . print_r( $last_error, true );

For extra robustness you should configure PHP to log all errors, warnings and notices to a log file on the server which you can examine for clues whenever you have problems. See this guide for details about how to set that up.

ADyson
  • 57,178
  • 14
  • 51
  • 63
  • Thank you for your help. I am confident that the next time someone has a problem with this page that I will get my answer about what is happening. This will also help greatly with any errors that might come up in any other page. I only have an error on this page a few times a year so it will be some time before I can report back what actually happened. But I am most pleased to have this code in this and all my pages. The code is in the header file common to all my pages. – Allen Edwards May 05 '21 at 19:38
  • 1
    No problem, glad I could help in some way – ADyson May 05 '21 at 20:28