是向用户显示还是向开发人员显示例外? [英] Are Exceptions for displaying to the user or just for developers?

问题描述

我最近刚刚阅读了 http://phpmaster.com/exceptional-exceptions/上的一篇文章他说了关于例外的情况:

I just recently read an article on http://phpmaster.com/exceptional-exceptions/ and he said this about exceptions:

您的调用代码永远不要读取该消息.该消息唯一有益的是对开发人员.

your calling code should never ever ever read the message. The only thing the message is good for is for developers.

在W3Schools网站上，他们显示了一个示例，其中在捕获到异常消息时输出异常消息，因此我感到困惑.我从 http://www.phpmaster.com 中学到了很多东西，并且相信他们所说的话，但是W3Schools总是可靠的也是，这是正确的做法吗?

On the W3Schools website they show an example where they output the exception message when it is caught so I am confused. I have learned a lot from http://www.phpmaster.com and trust what they say but W3Schools is always reliable too so which is the correct thing to do?

该异常消息是应该输出给用户的还是对开发人员而言?也许它甚至还不那么重要，并且可以以两种方式使用而不会造成任何伤害?

Is the exception message supposed to be outputted to the user or is it just something for developers? Maybe it isn't even that important and it can be used both ways without any harm?

推荐答案

这取决于方案，但最大的问题是安全性.当开发人员引发异常时，他们通常会尝试在消息中包含一些有关到底出了什么问题的有用信息.他们不知道在当前情况下您是否会将这些信息视为敏感信息.

It depends on the scenario but the biggest question is security. When a developer throws an exception, they usually try to include in the message some useful information about what exactly has gone wrong. They can't know if that information would be considered sensitive by you in the current context.

例如，假设您有一个具有登录表单的网站.如果数据库中的 Users 表丢失并且有人尝试登录，则抛出的异常可能类似于无法在数据库MyDb(db.mysite.com)中找到表用户代码>

As an example, say you've got a website that has a login form. If the Users table in the database was missing and someone tried to log in, the exception thrown might be something like Unable to find table users in database MyDb (db.mysite.com)

如果该消息显示给恶意用户，则他们现在知道您的数据库在哪里以及数据库/表名是什么.

If that message is displayed to a malicious user, they now know where your database is and what the db/table names are.

在这种情况下，我倾向于使用唯一的ID记录完整的异常，并向用户显示该ID，以便他们在以后需要时与我进行跟进.

In this scenario, I tend to log the full exception with a unique Id and display the id to the user so they can follow-up with me later if required.

相反，如果它是桌面应用程序，那么我倾向于采用另一种方式-异常消息可以帮助最终用户(例如，用户可能能够解决 Access Denied 的访问).即使这样，您也不确定异常消息是否有用(ala 参考未设置为对象的实例)，因此我倾向于将任何异常包装在更有用的异常中(例如无法连接到数据库)并公开所有内部异常的列表.这意味着用户会收到一条易于理解的消息，但也可能会获得更多有用的信息(如果有的话)，而不会带来安全隐患

Conversely, if it's a desktop app then I tend to lean the other way - exception messages can help the end user (Eg an Access Denied is something the user may be able to resolve). Even then, you're not sure if the exception message will be useful (ala Reference not set to an instance of an object) so I tend to wrap any exception inside a more useful one (eg Unable to connect to database) and expose a list of all the Inner Exceptions. This means the user gets an understandable message but might also get more useful information if available and not a security risk

这篇关于是向用户显示还是向开发人员显示例外?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！