I was recently reading about web development security and PHP and noted that appending an @ symbol to a function call was regarded as being a good idea because it hides any error messages generated by the function. Error messages are vital when developing a web application but, by the time it has been tested and put live, they can be a security hole. If a site user gives unexpected input that causes an error to occur, the resulting message might give away information that can be used as a key to unlock the site.
I wanted to read more about this approach but my search-fu seemed to be lacking. I could not find any reference to it in the online PHP manual and my searches kept bringing me back to various instances of the article where I had originally read about the idea.
Frustrated, I set up a small test page to explore the idea and, sure enough, @function-name does run function-name in silent mode. I would still be happier if I could find some more information to read about the approach (for example, are there any side-effects to be aware of) but that practical demonstration will do for now.
Want to add something? Please join the conversation about this posting (nb. Yahoo! account required to log into Flickr).