Host turned PHP error reporting off, justified?
A couple days ago my host did a totally unannounced upgrade to a current PHP version.
Problem #1 was that register_globals was turned off, which I can understand in principle, but not under these circumstances: ironically that change disabled the "automatic subdomain script" (foo.example.org = example.org/foo) that was part of my hosting package (=that I paid for), and with that effectively stopped the entire site from working (it kept redirecting to itself). The host didn't notice anything until notified by me several days after it happened -- then turned register_globals back on very quickly.
Today I noticed Problem #2: Error_reporting was also turned off. I was very surprised about that one, because I've never heard of any host doing this.
As a consequence, if you have a script that causes a parse error, the page will just show up completely blank in the browser, with no clue as to what might have gone wrong. If it's a minor error, the pages apruptly stops loading halfway through. This was also why I did not detect the sub domain script error earlier: there was no indication of the error's reason.
I issued a support ticket, and the host just answered: "this is a production server not a development or test server, having error reporting turned on in a production server is not good", and goes on to quote PHP.net that error messages "may reveal security information to end users, such as file paths on your Web server, your database schema or other information."
I know that's basically true, but imagine that it is mostly my own sensitive data that may be at risk through a revealed db schema or file name, and feel I can very well look after my scripts myself. There's even a PHP function to change error reporting level at runtime if I wanted to turn it off for my scripts -- but it doesn't appear to be working when the general setting is off. Or perhaps it is, but I have a typo in there somewhere -- wo can tell?
Also, I believe it's up to me whether I want to test and develop my scripts live on the server or on a locally installed one, when I'm not compromising the host's/other customers' security in any way, exceeding any transfer or server resource usage levels, etc.
Turned-off error reporting really diminishes the value of the account to me.
So my question is: Is it becoming the norm that error reporting is off? Is it really justified?
And isn't such an unannounced upgrade an unfair change in the terms of the contract between the host and me?
I was pretty dissapointed by the short and rather unfriendly message I received, and am now seriously considering switching after more than three years of being hosted at this company.
