Debug Constants vs. Secret GET Parameters

closeThis post was published 12 years 10 months 10 days ago. A number of changes have been made to the site since then, so please contact me if anything is broken or seems wrong.

A while back I commented on one of possible248’s posts on that secret GET parameters aren’t the best way to do debugging. The problem is that if someone discovers your “secret” parameter (which most people would probably set to just debug=1), they can get all sorts of information about your site’s underlying code structure.

What I like to do is have debug mode switched in the source code itself, say in a global include file that defines constants and variables for the entire site. (MediaWiki’s LocalSettings.php is a good example.) Since it’s usually wise to do your development on a different set of files (at least, if not on your own machine), you can make changes and set debug mode on while coding, and then turn it off before uploading the code to the live site. There’s no risk of someone discovering a hidden parameter, and you use the same basic if(debug){print debug stuff} code that you would otherwise.

It’s not necessarily something you would call a “best practice”; it’s just the sort of thing that you want to think about before making the decision to use GET params or constants. If security is important, you should stick with things that can only be switched by modifying the source code. Barring anyone hacking your server, everything would be safe from GET snoopers.

This is just some food for thought.


I am an avid technology and software user, in addition to being reasonably well-versed in CSS, JavaScript, HTML, PHP, Python, and (though it still scares me) Perl. Aside from my technological tendencies, I am also a theatre technician, sound designer, violinist, singer, and actor.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail (or subscribe without commenting)

Comments are subject to moderation, and are licensed for display in perpetuity once posted. Learn more.