php writing deprecated errors to apache error log

apache-2.2 php debian php.ini

19,045

While the other answers here will stop the errors being written to your error log, they are simply ignoring the the error message and not fixing the error.

The error in this case is that your php.ini still has either magic_quotes_gpc on or magic_quotes_gpc off somewhere in it. The same is true for register_globals on or register_globals off.

The error is not that the directive is on or off. The error is that the directive shouldn't exist at all. Comment those lines out of your php.ini or remove them entirely and PHP will stop writing errors about deprecated directives.

Of course, this may cause problems with your application if it requires either of those to be on.

The reason this is an error in PHP 5.3 is that in PHP 6, these directives won't even exist and PHP 6 will behave as if they were set to off. If you ever plan on upgrading to PHP 6, now is a good time to start upgrading or replacing your application.

Another solution you could try is downgrading PHP back to the 5.2 or 5.1 branch.

As for PHP writing errors into Apache's log, this is natural because PHP is running as an Apache module. You can put something like error_log = /var/log/php_errors.log into your php.ini and restart Apache to have the PHP errors separated from your Apache errors. While you're in there, I would recommend changing display_errors to off. Error messages can often contain sensitive information that you wouldn't want an attacker to see. You will most likely see this written in your php.ini:

; - display_errors = Off           [Security]
;     With this directive set to off, errors that occur during the execution of
;     scripts will no longer be displayed as a part of the script output, and thus,
;     will no longer be exposed to remote users.  With some errors, the error message
;     content may expose information about your script, web server, or database
;     server that may be exploitable for hacking.  Production sites should have this
;     directive set to off.

There is no sane reason why the error messages contain HTML.

To answer another question that you didn't ask, the reason PHP reports this as being in Unknown on line 0 is that the error message was designed for lines of PHP code that you have written but the error it found was in parsing the php.ini before it has even read a single line of code or even opened a .php file. Since it hasn't opened a file and doesn't have a line number, it reports them as "Unknown" and "0".

19,045

gardarh

I work on Android development. Also python, C# and on occasion flirt with Objective-C.

Updated on September 17, 2022

Comments

gardarh over 1 year
I just upgraded from Debian Lenny to Squeeze and noticed that my /var/log/apache2/errors.log is getting bombarded with the following errors:
```
Warning: Directive 'magic_quotes_gpc' is deprecated in PHP 5.3 and greater in Unknown on line 0 
 
Warning: Directive 'register_globals' is deprecated in PHP 5.3 and greater in Unknown on line 0 
```
I find this odd since this is a system log and php (via apache) is trying to write html code into it. This appears to happen on every pageload on the server (including any virtualhost).

Setting these values to off is not an option at the moment (I'm running an unmaintained codebase). My php.ini contains amongst other things:
```
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED
display_errors = On
register_globals = On
magic_quotes_gpc = On
```
I'm not sure if this is an error with php config or apache config. Does anyone know how I could avoid these messages being written to errors.log on every pageload?
- PHP: Version 5.3.2-2 Apache:
- Apache/2.2.16 (Debian)
Thanks, Gardar
- symcbean over 13 years
 
 If you require these settings for your code to work then you must stop upgrading the version of PHP installed - Deprecated means that support for these settings will be removed. And they are deprecated for good reason.
- symcbean over 13 years
 
 (or fix the code)
gardarh over 13 years

If I remove ~E_DEPRECATED then deprecated error messages are written to webpages (the ones using deprecated php functions), which is even worse :) I'm not sure that solves the problem anyways, ~E_DEPRECATED is there for not reporting deprecated errors.
Janne Pikkarainen over 13 years

Congratulations, you have just earned "Spotted one of the many PHP gotcha's" badge! PHP seems to just write the exactly same message to error log than it displays in web pages -- and in the web pages it's annotating the error messages with tags. To boldly log where no software has logged before ... but hey, at least it's not logging in xml format, so it's not completely enterprise-ready yet.