PHP_Settings - Extrimity

foregoinggowpenΛογισμικό & κατασκευή λογ/κού

4 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

80 εμφανίσεις

PHP.INI


Path
-

/etc/php5/apache2


To Set with PHP
-

ini_set(var , value)


To Get with PHP


ini_get( var )


To Restore
-

ini_restore( var )


1. Enable the PHP scripting language engine under Apache.


Default
-

engine = On


This setting is used to run PH
P script.


If it set to


engine = Off


After clicking any PHP containing folders or files it gives option to save that file instead of
execution


2. Enable compatibility mode with Zend Engine 1 (PHP 4.x)


Default
-

zend.ze1_compatibility_mode = Off


If y
ou want to work with PHP4, this setting must be set to 'ON'


3. Allow <? and <?php tag


Default
-

short_open_tag = On


Allows both tag


If change it to
-

short_open_tag = Off


Allows only <?php (<? gives blank page)


disable this option in order to use

<?xml ?>

inline


4. Allow ASP
-
style <% %> tags


Default
-

asp_tags = Off


5. The number of significant digits displayed in floating point numbers


Default
-

precision = 12


Gives 12 digit output


If execute 1000/3


O/P 333.333333333


If

digits are mo
re than 12 it

replace that number with 0


ex. 1234567890123456 gives O/P as 1234567890120000


6. Enforce year 2000 compliance (will cause problems with non
-
compliant
browsers)



Default
-

y2k_compliance = On

It is related with cookie, if you set your cooki
e to say '12/12/09' (d
-
m
-
y format)

Some old browser treat is as '12/12/1909' and will not allow you to access cookie

There are two ways to overcome this:

1. Set your y2k_compliance in your php.ini to "on" and then older browsers will work.

2. Do not set th
e cookie expiry date (volatile cookies).


7. Settings for output buffering


Default
-

output_buffering = Off


Normally, session, cookie or HTTP header data in a PHP script must be sent before any output
is generated by the script. If this is not possible i
n application then enable
output_buffering

variable.

output_buffering = On


With output buffering on, PHP stores the output in a special memory buffer and sends it only
when explicitly told to do so. This allows you to send special HTTP headers and cookie

data
even in the middle or at the end of script; however, it can degrade performance marginally.


You can also pass the
output_buffering

variable a number indicating the size of the buffer, for
example:

output_buffering = 4096


8. Settings for zlib outpu
t compression


Default
-

zlib.output_compression = Off

Enable if want to use gz handler , or compressor

ex. echo ob_gzhandler("Hello", PHP_OUTPUT_HANDLER_START);

Gives error
-

“Content Encoding Error The page you are trying to view cannot be shown
because
it uses an invalid or unsupported form of compression.”

zlib.output_compression = On

Will work fine


9. Implicit flush


Default
-

implicit_flush = Off

Implicit flush tells PHP to tell the output layer to flush itself automatically after every output
block.

This is equivalent to calling the PHP function flush() after each and every call to print()
or echo() and each and every HTML block.


10. error_reporting


Default


error_reporting =
E_ALL

& ~
E_NOTICE
.


This setting does not show
NOTICE, Except notice i
t will display all error.

Enabling
E_NOTICE

during development has some benefits. For debugging purposes: NOTICE messages will warn
you about possible bugs in your code. For example, use of unassigned values is warned.



In PHP 5 a new error level
E_STRICT

is available. As
E_STRICT

is not included
within
E_ALL

you have to explicitly enable this kind of error level. Enabling
E_STRICT

during
development has some benefits. STRICT messages will help you to use the latest and greatest
suggested method of coding,

for example warn you about using deprecated functions.


11. display_errors


Default
-

display_errors = On


This determines whether errors should be printed to the screen as part of the output or if they
should be hidden from the user. This is a feature t
o support your development and should
never be used on production systems.


12. display_startup_errors


Default


display_startup_errors = Off



Even when display_errors is on, errors that occur during PHP's startup sequence are not
displayed. It's strongl
y recommended to keep display_startup_errors off, except for debugging.


13. safe_mode


Default


safe_mode = Off


safe_mode

is crucial to ensure that your scripts can't perform potentially unsafe operations
that might allow a hacker to break into your s
erver.Whether to enable PHP's safe mode. If PHP
is compiled with
--
enable
-
safe
-
mode

then defaults to On, otherwise Off.


This feature has been
DEPRECATED

as of PHP 5.3.0. Relying on this feature is highly
discouraged.


14. memory_limit


Default


memory_l
imit = 128M (PHP >= 5.2.0)



memory_limit = 16M (PHP < 5.2.0)


This sets the maximum amount of memory in bytes that a script is allowed to allocate. This
helps prevent poorly written scripts for eating up all available memory on a server. To have no
m
emory limit, set this directive to
-
1
.


15. max_execution_time


Default


max_execution_time = 30 (In seconds)


This sets the maximum time in seconds a script is allowed to run before it is terminated by the
parser. This helps prevent poorly written scrip
ts from tying up the server. The default setting is
30
. When running PHP from the command line the default setting is
0
.


To set time to unlimited we have to set it to 0

max_execution_time = 0;


16. max_input_time


Default


max_input_time = 60 (In Second
s)


This sets the maximum time in seconds a script is allowed to parse input data, like POST, GET
and file uploads.


17. expose_php


Default


expose_php = On


In a default Apache/PHP configuration, PHP likes to insert its own HTTP header advertising the
fact that you are using PHP on your server. The "
X
-
Powered
-
By
" response header displays
the version of PHP you are running, and in some cases, even the PHP patch level. This can be
troublesome, because intelligent hackers often look for this information in

your response
headers as a way to verify the version of PHP you are using. For example, if a hacker discovers
you are running PHP 4, there is a possibility that they will attempt to exploit known PHP 4
vulnerabilities.



Using HttpFox, an HTTP header anal
yzer extension for Firefox, verified that PHP is no longer
adding the "
X
-
Powered
-
By
" header to my responses:









18. Mail Settings


To send from PHP following settings needs to be done

SMTP = localhost;

smtp_port = 25;


For windows

sendmail_from =
'test@webaccess.com
'


But for Linux we have to provide from mail with header.


19. file_uploads



Default
-

file_uploads = On


Whether or not to allow HTTP file uploads


upload_tmp_dir


Default


upload_tmp_dir = NULL


T
he temporary directory used for storing files when doing file upload. Must be writable by
whatever user PHP is running as. If not specified PHP will use the system's default.


20. upload_max_filesize


Default


upload_max_filesize = 2M


The maximum size o
f an uploaded file. To set filesize unlimited set it to 0.


21. max_file_uploads (PHP > 5.2.1)


Default


max_file_uploads = 20


The maximum number of files allowed to be uploaded simultaneously. To prevent possible DOS
via temporary file exhaustion.




22
. post_max_size


Default


post_max_size = 8M


Sets max size of post data allowed. This setting also affects file upload. To upload large files,
this value must be larger than upload_max_filesize. If memory limit is enabled by your
configure script, memory
_limit also affects file uploading. Generally speaking, memory_limit
should be larger than post_max_size. If the size of post data is greater than post_max_size,
the $_POST and $_FILES superglobals are empty.


23. allow_call_time_pass_reference


Default


allow_call_time_pass_reference = On


24. disable_functions


Default


disable_functions = NULL


This directive is used to disable function.There are a few functions in PHP which allows access
to things that the users do not need to know or use. Disabling
these can increase security.



We can not provide used function to disable. List of some function which can be
disabled
-




apache_get_modules,apache_get_version,apache_getenv,apache_note,
apache_setenv,disk_free_space,diskfreespace,dl,highlight_file,ini_
alter,ini_restore,openlog,pas
sthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system


example to disable some function
-


disable_functions = “phpinfo, shell_exec”


<?php

phpinfo();

?>


When you run this script you will get O/P as
-


phpinfo() has
been disabled for security reasons


25. disable_classes


Default


disable_classes = NULL


This directive allows you to disable certain classes for security reasons. It takes on a comma
-
delimited list of class names.With disable_classes=Directory in the ph
p.ini file,
get_declared_classes() no longer returns the "Directory" class, but a class called "dir".


This is only for PHP built
-
in classes. Any user defined class in this list will still run.


26. log_errors


Default : log_errors = Off


It decides whethe
r to add log errors into a log file or not. Strongly advised to use error logging
in place of error displaying on production web sites


27. log_errors_max_len


Default log_errors_max_len = 1024


Decide maximum length of log error. To avoid max length set i
t to 0


28. magic_quotes_gpc


Default


magic_quotes_gpc


Magic Quotes is a process that
automatically

escapes incoming data to the PHP script. It's
preferred to code with magic quotes off and to instead escape the data at runtime, as needed.


This direct
ive is used to automatically escape risky form data that might be used for SQL
Injection with a backslash
\
. (Same as addslash() function)


like single quote, double quote, backslash NULL character ..


ex:

<?php

echo "Altered Text: ".$_POST['question'];

?>

<form method='post'>

Question: <input type='text' name='question'/><br />

<input type='submit'>

</form>


If you enter like
-

It's my code

It will return O/P as
-

Altered Text: it
\
's my code

To check this directive is enabled or not we can use function
-

g
et_magic_quotes_gpc()


Its good practice to keep it off and use addslashes.


29. allow_url_fopen


Default
-

allow_url_fopen = On


If it set to "On", below code works fine and will display the result

<?php

$file = fopen("http://192.168.2.30/~vishwas/sample.
txt","r");

$contents = fread($file, 100);

echo $contents;

?>


If it set to Off it will give error
--

URL file
-
access is disabled in the server configuration

for security reason it should be "Off".


30. mysql.connect_timeout


Default
-

mysql.connect_timeout

= 60 (In seconds)


Connect timeout in seconds. On Linux this timeout is also used for waiting for the first answer
from the server.


This timeout only comes in to play when the server is completely offline. If the
server is up, but mysqld
is not, the server refuses the connection immediately.