You have a growing set of functional scripts. You have some web pages that interact with them, CSS to style both your HTML static pages and the HTML that your scripts dish out, and you could (and should) go in and add some client-side Java5cript validation. Things are looking pretty good.
But there’s a monster lurking in the deep. Even though you’ve occasionally added a die or a conditional to ensure that your queries return a result row, your code really assumes the perfect user: one who always types exactly what you expect, never enters a phone number in the email field or spaces in the Facebook URL field; someone who never needs to go back-and in fact never clicks her browser’s Back button at an inopportune time-and never enters her information into the same form twice by furiously clicking “Add my information” instead of waiting on her lousy Internet connection.
Of course, if you start thinking about your friends and family, you probably don’t know a lot of those types of users. And that’s a problem …a big problem. The reality of web software-and in fact any type of software-is that people will always find ways to break your best-intended pages, forms, and scripts. They’ll supply you bad information, leave out required fields, and make a general mess of anything and everything.
Suppose you’ve typed something wrong in your database connection script. ill your users see a helpful error message? Or even an email to which they can report the problem? No, they’ll get the rather disappointing screen shown in Figure 8-1.
A cryptic error message might be fine when it’s only you using your system, testing things out, making sure your code is right. But this is a poor excuse for handling errors in any kind of system that’s going to make it out there in the wilds of the Internet.
It gets even worse; try to visit the show_user.php URL again and supply a user ID that you know doesn’t exist. Figure 8-2 shows that, instead of generating an error, the invalid user ID is being swallowed up by your script. You get an “empty” user profile, but otherwise it looks like nothing’s wrong. There’s a lot of work to do here. First things first, though: What exactly should an error page have on it?