Hello Friends,
A article which describe what is the use of particular variable in php.ini files and how to do settings in this file. How to set each variable in php.ini file and what is the purpose of each is explain in this article. Please go through and will definetely get the solution.
Php.ini setting for each variable:
1 > allow_call_time_pass_reference Boolean
Whether to enable the ability to force arguments to be passed by reference at function call time. This method is deprecated and is likely to be unsupported in future versions of PHP/Zend. The encouraged method of specifying which arguments should be passed by reference is in the function declaration. You're encouraged to try and turn this option Off and make sure your scripts work properly with it in order to ensure they will work with future versions of the language (you will receive a warning each time you use this feature, and the argument will be passed by value instead of by reference).
Passing arguments by reference at function call time was deprecated for code cleanliness reason. Function can modify its argument in undocumented way if it didn't declare that the argument is passed by reference. To prevent side effects it's better to specify which arguments are passed by reference in function declaration only.
====================================================
2 > allow_url_fopen
This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.
This setting can only be set in php.ini due to security reasons.
This option was introduced immediately after the release of version 4.0.3. For versions up to and including 4.0.3 you can only disable this feature at compile time by using the configuration switch --disable-url-fopen-wrapper.
====================================================
3 > always_populate_raw_post_data Boolean
Always populate the $HTTP_RAW_POST_DATA variable.
4 > arg_separator.input
List of separator(s) used by PHP to parse input URLs into variables
5 > arg_separator.output
The separator used in PHP generated URLs to separate arguments
6 > asp_tags
Enables the use of ASP-like <% %> tags in addition to the usual tags. This includes the variable-value printing shorthand of <%= $value %>.
7 > auto_globals_jit Boolean
When enabled, the SERVER and ENV variables are created when they're first used (Just In Time) instead of when the script starts. If these variables are not used within a script, having this directive on will result in a performance gain
The PHP directives register_globals, register_long_arrays, and register_argc_argv must be disabled for this directive to have any affect.
8 > display_error and display_startup_errors
These two settings control whether PHP should display errors in the browser or be silent. It is recommended that you turn these two settings Off during production so that you don't accidentally display sensitive information about your Web site. This is especially true for dynamic Web sites that send usernames and password to access a database. In your php.ini file, this configuration will look like:
display_errors = off
display_startup_errors = off
9 > log_erros and error_log
There two settings control how PHP logs errors for later review. It is helpful to use these two settings if you have turned Off display_errors and display_startup_errors. In your php.ini file, this configuration will look like
Log_errors = On
Error_log = /hwxx/daxx/uwnetid/phperrors.log
Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a file called phperrors.log in the root of your Web directory (typically public_html) and make sure it is read and writable by you
10 > session.save_path
This setting controls the location of server-side session cookies when your script uses PHP's session management functions. The server default php.ini file has this variable set to /use/a/folder/in/your/web/root, disabling the user of sessions. In order to use PHP sessions, you will need to create a temp folder in your web directory and change this option to point to it:
There are a number of reasons for requiring this configuration:
(1) To make sure that another user doesn't tamper with these cookies. (2)To keep the /tmp folder from filling up, causing other programs to fail. (3) Due to the clustered nature of the UW webservers, session info should be stored in a place that is available on all machines in the cluster
session.save_path = /hwxx/daxx/uwnetid/tmp
Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Again, make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only
11 > upload_temp_dir
This setting controls the temporary location of files uploaded with an HTML form. If you don't specify a path for this setting, uploaded files will be temporarily stored in a world-readable location on the server. To protect ease of manipulation and the confidentiality of such files, you should create a directory in your account and specify the new path in your php.ini file
upload_tmp_dir = /hwxx/daxx/uwnetid/tmp
Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only.
13 > enable_dl
This directive is really only useful in the Apache module version of PHP. You can turn dynamic loading of PHP extensions with dl() on and off per virtual server or per directory.
The main reason for turning dynamic loading off is security. With dynamic loading, it's possible to ignore all open_basedir restrictions. The default is to allow dynamic loading, except when using safe mode. In safe mode, it's always impossible to use dl().
14 > extension_dir string
In what directory PHP should look for dynamically loadable extensions
15 > file_uploads
Whether or not to allow HTTP file uploads. See also the upload_max_filesize, upload_tmp_dir, and post_max_size directives
16 > gpc_order
Set the order of GET/POST/COOKIE variable parsing. The default setting of this directive is "GPC". Setting this to "GP", for example, will cause PHP to completely ignore cookies and to overwrite any GET method variables with POST-method variables of the same name
This option is not available in PHP 4. Use variables_order instead
17 > include_path
Specifies a list of directories where the require(), include() and fopen_with_path() functions look for files. The format is like the system's PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows
Unix include_path
include_path=".:/php/includes”
Window include_path
include_path=".;c:\php\includes”
Using a . in the include path allows for relative includes as it means the current directory
18 > magic_quotes_gpc
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
19 > magic_quotes_runtime
If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.
20 > magic_quotes_sybase
If the magic_quotes_sybase directive is also ON it will completely override magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NUL's will remain untouched and unescaped
21 > max_execution_time
This sets the maximum time in seconds a script is allowed to run before it is terminated by the parser. This helps prevent poorly written scripts from tying up the server. The default setting is 30.
The maximum execution time is not affected by system calls, stream operations etc. Please see the set_time_limit() function for more details.
You can not change this setting with ini_set() when running in safe mode. The only workaround is to turn off safe mode or by changing the time limit in the php.ini.
Your webserver can have other timeouts. E.g. Apache has Timeout directive, IIS has CGI timeout function, both default to 300 seconds. See the webserver documentation for meaning of it.
22 > max_input_time
This sets the maximum time in seconds a script is allowed to receive input data, like POST, GET and file uploads
23 > open_basedir
Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.
The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().
In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with "php_admin_value open_basedir none".
Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.
The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"
Note: Support for multiple directories was added in 3.0.7.
The default is to allow all files to be opened.
24 > output_buffering
Normally, session, cookie or HTTP header data in a PHP script must be sent before any output is generated by the script. If this is not possible in your application, you can enable what PHP calls output buffering, with the output_buffering variable.
With output buffering on, PHP stores the output of your script in a special memory buffer and sends it only when explicitly told to do so. This allows you to send special HTTP headers and cookie data even in the middle or at the end of your script; however, it can degrade performance marginally.
output_buffering = Off
You can also pass the output_buffering variable a number indicating the size of the buffer, for example:
output_buffering = 2048
25 > output_handler
You can redirect all of the output of your scripts to a function. For example, if you set output_handler to mb_output_handler(), character encoding will be transparently converted to the specified encoding. Setting any output handler automatically turns on output buffering.
Note: You cannot use both mb_output_handler() with ob_iconv_handler() and you cannot use both ob_gzhandler() and zlib.output_compression.
Note: Only built-in functions can be used with this directive. For user defined functions, use ob_start().
26 > post_max_size
Also related to form submission is the post_max_size variable, which controls the maximum amount of data that PHP will accept in a single form submission with the POST method. It's unlikely you'll ever need to increase this from the default value of 8 MB; instead, you should probably reduce it to a more realistic figure. However, if you're planning on using the file upload features of PHP, keep this value greater than the value of upload_max_filesize.
post_max_size = 8M
27 > precision
The number of significant digits displayed in floating point numbers.
28 > register_argc_argv
Tells PHP whether to declare the argv & argc variables (that would contain the GET information).
29 > register_globals
New to PHP 4.1.0, the register_globals setting controls how you access form, server, and environment variables. By default this variable is set to Off, requiring you to use special arrays to access these variables. Those familiar with older versions of PHP will be used to an environment in which the register_globals variable is effectively On; with this setting, you can access form, server and environment variables simply by name
Note: This change occurred in PHP 4.1.0 because when register_globals is set to On, PHP scripts are more vulnerable to attacks. Some older PHP applications will require this setting to be on, but it is safer to write new scripts with the assumption that register_globals will be set to Off
To retrieve the value of from a form submitted with the POST method, use the following syntax
PHP code when register_globals = On
$myNewVariable = $formVariable
PHP code when register_globals = Off
$myNewVariable = $_POST['formVariable'];
30 > report_memleaks
report_memleaks is one of the few directives in the php.ini file that I've never had reason to change. Setting this to "Off" will prevent memory leak errors being displayed. However, memory leaks are only displayed when you compile PHP with "--enable-debug" (which allows you to perform some advanced tasks (eg backtraces). This would never affect a production environment, and rarely a development one.
Values: On (default), Off
31 > safe_mode
The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now
Whether to enable PHP's safe mode. Read the Security chapter for more information.
32 > safe_mode_exec_dir
If PHP is used in safe mode, system() and the other functions executing system programs refuse to start programs that are not in this directory. You have to use / as directory separator on all environments including Windows.
One Safe Mode trouble maker is safe_mode_exec_dir. By default safe_mode_exec_dir is empty, so external programs like `convert' cannot be started.
In my testing, on one (Debian) server I was able to use Image Magick's `convert' command (but not for converting gallery images) by using the following steps:
Create a link to `convert' in /usr/local/bin/ with
ln -s /usr/bin/convert /usr/local/bin/
Enable starting programs in that directory with a line in php.ini
safe_mode_exec_dir = "/usr/local/bin"
Restart the web server.
Make Qdig aware of the new location with
$convert_cmd = '/usr/bin/convert';@@
This also works:
Enable starting /usr/bin programs in php.ini with
safe_mode_exec_dir = "/usr/local/bin"
Restart the web server.
so does this:
Create a directory for PHP-safe binaries
mkdir /usr/local/php_safe_bin
Create a link to `convert' in /usr/local/bin/ with
ln -s /usr/bin/convert /usr/local/php_safe_bin/
Enable starting programs in that directory with a line in php.ini
safe_mode_exec_dir = "/usr/local/php_safe_bin"
Restart the web server.
Make Qdig aware of the new location with
$convert_cmd = '/usr/php_safe_bin/convert';@@
The reason for creating a link rather than copying the file is because otherwise system updates will not replace the copy you are using.
For review, the three pertinent settings in php.ini are
safe_mode = On
safe_mode_gid = On
safe_mode_exec_dir = "/path/to/convert/executable"
where only the top two lines are necessary if you are using GD to convert images.
33 > safe_mode_gid
By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) checking upon file access
To avoid the server-can't-access-files-it-has-written error, the server administrator can enable PHP's safe_mode_gid by adding this line
safe_mode_gid = On
to the the server's PHP configuration file (php.ini) and restarting the web server daemon.
Your web hosting provider should be willing to enable safe_mode_gid (manual page) for you because the security benefit probably exceeds the security risk. This is because
· files written in ordinary (non-SetGID) directories still will be blocked, and
· leaving it disabled encourages users to use world-writable directories and files.
Enabling safe_mod_gid, combined with using (temporarily) "2777" (versus "777") permissions for the qdig-files/ directory during setup, will cause your Qdig installation to Just Work as long PHP's GD extension is loaded and available for image conversion
34 > safe_mode_include_dir
UID/GID checks are bypassed when including files from this directory and its subdirectories (directory must also be in include_path or full path must including).
As of PHP 4.2.0, this directive can take a colon (semi-colon on Windows) separated path in a fashion similar to the include_path directive, rather than just a single directory.
The restriction specified is actually a prefix, not a directory name. This means that "safe_mode_include_dir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "safe_mode_include_dir = /dir/incl/"
If the value of this directive is empty, no files with different UID/GID can be included in PHP 4.2.3 and as of PHP 4.3.3. In earlier versions, all files could be included.
35 > sendmail_from
In either case, you'll want to set the sendmail_from option to your email address, or whichever address you'd like to appear as the default 'from' address for emails sent from PHP scripts.
Here's how the section might look on a typical Windows server, or on a Linux server without sendmail:
[mail function]
; Setup for Windows systems
SMTP = smtp.my.isp.net
sendmail_from = me@myserver.com
And here's how it might look on a Linux server with sendmail:
[mail function]
; Setup for Linux systems
sendmail_path = /usr/sbin/sendmail -t
sendmail_from = me@myserver.com
36 > sendmail_path
If you're going to use PHP's mail() function, there are three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail messages through PHP's mail() function. On Windows, these variables set the SMTP server to be used and the From: address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent) for mail delivery:
SMTP = myserver.localnet.com
sendmail_from = me@localhost.com
sendmail_path = /usr/sbin/sendmail
37 > short_open_tag
Tells whether the short form () of PHP's open tag should be allowed. If you want to use PHP in combination with XML, you can disable this option in order to use inline. Otherwise, you can print it with PHP, for example: . Also if disabled, you must use the long form of the PHP open tag ().
Note: This directive also affects the shorthand SMTP
If you're going to use PHP's mail() function, there are three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail messages through PHP's mail() function. On Windows, these variables set the SMTP server to be used and the From: address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent) for mail delivery:
SMTP = myserver.localnet.com
39 > smtp_port
Used under Windows only: Number of the port to connect to the server specified with the SMTP setting when sending mail with mail(); defaults to 25. Only available since PHP 4.3.0.
40 > track_errors
If enabled, the last error message will always be present in the global variable $php_errormsg
In addition, if you set the php.ini setting track_errors = On, the last error message encountered will be stored in $php_errormsg. This is true regardless of whether you have used the @ syntax for error suppression
41 > unserialize_callback_func
The unserialize_callback_func directive is one of the more advanced settings in the php.ini file, and the chances are very good that if you change this before you are familiar with serialization, you will cause massive problems on your own server. I'd leave this well alone!
42 > upload_max_filesize
The maximum size of an uploaded file. When an integer is used, the value is measured in bytes. You may also use shorthand notation as described in this FAQ.
43 > upload_tmp_dir
This setting controls the temporary location of files uploaded with an HTML form. If you don't specify a path for this setting, uploaded files will be temporarily stored in a world-readable location on the server. To protect ease of manipulation and the confidentiality of such files, you should create a directory in your account and specify the new path in your php.ini file:
upload_tmp_dir = /hwxx/daxx/uwnetid/tmp
Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only.
44 > user_dir
The base name of the directory used on a user's home directory for PHP files, for example public_html.
45 > variables_order
Set the order of the EGPCS (Environment, GET, POST, Cookie, Server) variable parsing. The default setting of this directive is "EGPCS". Setting this to "GP", for example, will cause PHP to completely ignore environment variables, cookies and server variables, and to overwrite any GET method variables with POST-method variables of the same name
46 > y2k_compliance
The y2k_compliance directive instructs PHP to use 4-digit years. This setting can apparently cause problems with some browsers (Navigator 3, and possibly others - any that can't understand 4-digit years) when set to On. However, not having it On will possibly cause problems with modern browsers, which can have problems with 2-digit years. I leave this on.
Values: On (default), Off
47 > zend.ze1_compatibility_mode
Enable compatibility mode with Zend Engine 1 (PHP 4). It affects the cloning, casting, and comparing of objects
SESSION
48 > Session Support
Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.
A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.
The session support allows you to register arbitrary numbers of variables to be preserved across requests. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.
49 > session.name string
session.name specifies the name of the session which is used as cookie name. It should only contain alphanumeric characters. Defaults to PHPSESSID. See also session_name().
50 > session.auto_start boolean
session.auto_start specifies whether the session module starts a session automatically on request startup. Defaults to 0 (disabled).
51 > session.serialize_handler string
session.serialize_handler defines the name of the handler which is used to serialize/deserialize data. Currently, a PHP internal format (name php) and WDDX is supported (name wddx). WDDX is only available, if PHP is compiled with WDDX support. Defaults to php.
52 > session.gc_probability integer
session.gc_probability in conjunction with session.gc_divisor is used to manage probability that the gc (garbage collection) routine is started. Defaults to 1. See session.gc_divisor for details.
53 > session.gc_divisor integer
session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.
54 > session.gc_maxlifetime integer
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up.
Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other fs where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won't have problems with filesystems where atime tracking is not available.
55 > session.referer_check string
session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.
56 > session.entropy_file string
session.entropy_file gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. Examples are /dev/random or /dev/urandom which are available on many Unix systems.
57 > session.entropy_length integer
session.entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled).
58 > session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).
59 > session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.
60 > session.cookie_lifetime integer
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().
61 > session.cookie_path string
session.cookie_path specifies path to set in session_cookie. Defaults to /. See also session_get_cookie_params() and session_set_cookie_params().
62 > session.cookie_domain string
session.cookie_domain specifies the domain to set in session_cookie. Default is none at all. See also session_get_cookie_params() and session_set_cookie_params().
63 > session.cookie_secure boolean
session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4. See also session_get_cookie_params() and session_set_cookie_params().
64 > session.cache_limiter string
session.cache_limiter specifies cache control method to use for session pages (none/nocache/private/private_no_expire/public). Defaults to nocache. See also session_cache_limiter().
65 > session.cache_expire integer
session.cache_expire specifies time-to-live for cached session pages in minutes, this has no effect for nocache limiter. Defaults to 180. See also session_cache_expire().
66 > session.use_trans_sid boolean
session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).
Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
67 > session.bug_compat_42 boolean
PHP versions 4.2.3 and lower have an undocumented feature/bug that allows you to initialize a session variable in the global scope, albeit register_globals is disabled. PHP 4.3.0 and later will warn you, if this feature is used, and if session.bug_compat_warn is also enabled. This feature/bug can be disabled by disabling this directive.
68 > session.bug_compat_warn boolean
PHP versions 4.2.3 and lower have an undocumented feature/bug that allows you to initialize a session variable in the global scope, albeit register_globals is disabled. PHP 4.3.0 and later will warn you, if this feature is used by enabling both session.bug_compat_42 and session.bug_compat_warn.
69 > session.hash_function integer
session.hash_function allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).
Note: This was introduced in PHP 5.
70 > session.hash_bits_per_character integer
session.hash_bits_per_character allows you to define how many bits are stored in each character when converting the binary hash data to something readable. The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").
Note: This was introduced in PHP 5.
71 > url_rewriter.tags string
url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=
Note: If you want XHTML conformity, remove the form entry and use the
Tuesday, November 20, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment