From the PHP Security Blog today, there's this look at a way to not configure your logging in PHP - some issues that he points out in the examples from the recent "Essential PHP Security" book.

Today I had the pleasure to look at code examples from a recently released book. I guess readers of my blog know exactly what book I am referring to.

I will only cover the first 2 code examples that explain how to configure and use PHP's logging capabilities for now because they [...] reveal some nice insights.

The first example he talks about some issues with using ini_set to put the errors logged in the Apache error_log. His issue with the method being the permissions on the log file (assuming a "sane configured webserver"). The second issue is in another example, one that tries the same logging method, but uses the set_error_handler method to do so...