Let's say something happens in your application, like some exception thrown. As a developer I would like to see it, but I don't want the typical site user to see it too (it exposes paths and stuff).
I noticed that some sites are encrypting the error message, and the users see:
Oh shit something went wrong. Give this code to the site admin:
*&#BFO*&@BF#*&@BH#OGF*@B#(G*O&GBO*@#BG*@#BG*@BO#GO*@B#(GP
*O&QBOF*UB@#GOF*&B@#G*&OGB*@#O&BG*&@#BG(P*@#HNFIO@NW#FKLJ
*@UB#FO@#B*FB*OBF*O&BW#O*FBWO*G#B&*OGB*W#BGLKJWBGLKJBGLKJ
or something like that. Then the developer can decrypt it and see the message.
Is this a good or bad idea?
Are there any better ways?
Well it usually is a good idea to encrypt the error message since it may contain information about security issues which hackers could exploit.
On the other hand, end users are more likely to show the webmaster a short error message (like MySQL: Duplicate entry <whatever> for key <whatever> than a bunch of random code they don't understand.
I usually add automatic error reporting and write something like "An error has occured. The webmaster has been notified and will try to fix the problem as soon as possible. If issues persist, send this code to the webmaster here (link to error reporting form).".
The error message along with a dump of $_SERVER is encoded using ASCII shift and inside <small> tags to reduce size and scaryness.
You can set a cookie for your particular session and use that to show and hide errors ,for example , check whether a user is logged in or not , if logged in , does s/he have the privileges to see the errors.
Your approach relies on the user too much. Better to have it say something like:
An error occurred and the application would like to send the details to the site admin. [Info about potential user data exposed] Okay? [yes] [no]
You don't need to show the user the details at all.