PHP: Exceptions vs Custom Errors

Today I had a nice talk chat with a friend of mine. We covered few aspects of web development.

He criticised my application errors handling approach, basically if I need to check user permission to perform an action, I do the following:

// My little function
function check_user_perms($user)
{
    // @returns boolean
    // checking is user is permitted to perform an action
    return ($something > 1) ? TRUE : FALSE; // of course it return开发者_高级运维s true/false, not null
}

// place where I need to check user permission
// please note that following lame snippets are meant to show you my approach
if( check_user_perms($user_id) )
{
    // perform the action
}
else
{
    echo 'You have no permission to perform this action.';
}

He said, I should use exceptions. So I started to read and think I learned good exceptions practices.

There are only few things that needs clarification:

1. Should I use exceptions for everything in web application?

2. If so, how to show a message to user on production?

3. What approach would you suggest?

Exceptions should be used for "exceptional situations". Checking if a user has proper permissions is not an "exceptional situation". It's a very common check which should not use an exception. Returning true/false here is fine.

If on the otherhand, while checking if the user has access an "exceptional" error occurs, such as the inability to check the authentication server due to it being down, then throwing an exception would be appropriate.

Here are some more resources to check out:

• When and How to Use Exceptions
• PHP5 Exception Use Guide

check_user_perms should absolutely return TRUE or FALSE (not NULL!).

Exceptions are for exceptional circumstances, not general program flow control.

An example might be:

• If user has permission to do this action, return TRUE
• If user has no permission to do this action, return FALSE
• If user doesn't exist, throw an exception (because we kind of expected the user to exist if this function was called in the first place).

You should use exceptions for exceptional, i.e., unexpected or unusual conditions. Depending on the context of the check a lack of permissions could either be exceptional or not. If, for instance, your code simply does one thing for authorized users and another for unauthorized, or more commonly simply allows additional access to authorized users (say, like showing an admin menu for administrators), then you shouldn't be using exceptions for this. If, on the other hand, an unauthorized user attempts to access a web action that requires authorization or a non-administrator attempts to access an administrator-only action, then an exception could well be an appropriate response. In this case, you should catch the exception and do the appropriate thing, say redirect to a login or error action.

As a generalization, I would say that the code that determines if a user has a specific permission shouldn't throw an exception, but rather return true or false. The code invoking that call might, depending on the context, choose to throw an exception if the permission is required and expected.