Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Drupal core provides a feature to show error messages to site visitors. By default this feature is enabled which is very helpful while building a site because the visitor can quickly see the error messages.

Once a site has entered "production" mode this feature should be disabled to avoid information disclosure such as the full filesystem path on the server or the structure of tables in a SQL error message.

Disabling display of error messages in Drupal 7

As an administrator, navigate to Home » Administration » Configuration » Development » Logging and errors. Set the "Error messages to display" option to "None."

Disabling display of error messages in Drupal 6

As an administrator, navigate to Home » Administer » Site configuration » Error reporting. Set the "Error reporting" option to "Write errors to the log."

Disabling display of error messages when the database is not accessible

There is a chance that the database will not be accessible, in which case Drupal cannot find the error reporting options set in the previous steps and instead will use the default error_level which is to display errors. To prevent errors from being displayed in that scenario, it's best to use the $conf global variable from settings.php to set the error_level variable to disabled. The following line of code will achieve that in both Drupal 6 and Drupal 7.

// Place this in settings.php to disable printing of error messages.
$conf['error_level'] = 0;

Disabling display of notices in PHP

PHP also has a configuration for which errors are shown. For production environments this value should be set to something that will not display notices such as E_ERROR.

To help identify this and other potential problems on a site, you should consider using the Security Review module.