A while back I commented on one of possible248′s posts that secret GET parameters aren’t the best way to do debugging. The problem is that if someone discovers your “secret” parameter (which most people would probably set to just debug=1), they can get all sorts of information about your site’s underlying code structure.

What I like to do is have debug mode switched in the source code itself, say in a global include file that defines constants and variables for the entire site. (MediaWiki’s LocalSettings.php is a good example.) Since it’s usually wise to do your development on a different set of files (at least, if not on your own machine), you can make changes and set debug mode on while coding, and then turn it off before uploading the code to the live site. There’s no risk of someone discovering a hidden parameter, and you use the same basic if(debug){print debug stuff} code that you would otherwise.

It’s not necessarily something you would call a “best practice”; it’s just the sort of thing that you want to think about before making the decision to use GET params or constants. If security is important, you should stick with things that can only be switched by modifying the source code. Barring anyone hacking your server, everything would be safe from GET snoopers.

This is your daily food for thought.