diff options
| author | Zeev Suraski <zeev@php.net> | 2001-08-11 15:22:56 +0000 |
|---|---|---|
| committer | Zeev Suraski <zeev@php.net> | 2001-08-11 15:22:56 +0000 |
| commit | 860b591299f8554cbf769fb21d6406f64580f810 (patch) | |
| tree | bb2ff2017792586036596f215d02700b2dcd469c | |
| parent | 1751c4eba57ec614111d0fc459ce6ccd4f73ff84 (diff) | |
| download | php-git-860b591299f8554cbf769fb21d6406f64580f810.tar.gz | |
Start pushing register_globals annihilation
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | php.ini-dist | 12 | ||||
| -rw-r--r-- | php.ini-optimized | 558 | ||||
| -rw-r--r-- | php.ini-recommended | 50 |
4 files changed, 51 insertions, 574 deletions
@@ -1,8 +1,11 @@ PHP 4.0 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 200?, Version 4.0.7-dev +- Replaced php.ini-optimized with php.ini-recommended. As the name implies, + it's warmly recommended to use this file as the basis for your PHP + configuration, rather than php.ini-dist. (Zeev) - Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There - are still some known leaks. + are still some known leaks. (Joey) - Added import_request_variables(), to allow users to safely import form variables to the global scope (Zeev) - Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE diff --git a/php.ini-dist b/php.ini-dist index 48fbacc3ae..71e4bf620e 100644 --- a/php.ini-dist +++ b/php.ini-dist @@ -1,5 +1,15 @@ [PHP] -; $Id$ + +;;;;;;;;;;; +; WARNING ; +;;;;;;;;;;; +; This is the default settings file for new PHP installations. +; By default, PHP installs itself with a configuration suitable for +; development purposes, and *NOT* for production purposes. +; For several security-oriented considerations that should be taken +; before going online with your site, please consult php.ini-recommended +; and http://php.net/manual/en/security.php. + ;;;;;;;;;;;;;;;;;;; ; About this file ; diff --git a/php.ini-optimized b/php.ini-optimized deleted file mode 100644 index c627b47e66..0000000000 --- a/php.ini-optimized +++ /dev/null @@ -1,558 +0,0 @@ -[PHP] - -;;;;;;;;;;;;;;;;;;; -; About this file ; -;;;;;;;;;;;;;;;;;;; -; -; This is the 'optimized', PHP 4-style version of the php.ini-dist file. -; For general information about the php.ini file, please consult the php.ini-dist -; file, included in your PHP distribution. -; -; This file is different from the php.ini-dist file in the fact that it features -; different values for several directives, in order to improve performance, while -; possibly breaking compatibility with the standard out-of-the-box behavior of -; PHP 3. Please make sure you read what's different, and modify your scripts -; accordingly, if you decide to use this file instead. -; -; - allow_call_time_pass_reference = Off -; It's not possible to decide to force a variable to be passed by reference -; when calling a function. The PHP 4 style to do this is by making the -; function require the relevant argument by reference. -; - register_globals = Off -; Global variables are no longer registered for input data (POST, GET, cookies, -; environment and other server variables). Instead of using $foo, you must use -; $HTTP_POST_VARS["foo"], $HTTP_GET_VARS["foo"], $HTTP_COOKIE_VARS["foo"], -; $HTTP_ENV_VARS["foo"] or $HTTP_SERVER_VARS["foo"], depending on which kind -; of input source you're expecting 'foo' to come from. -; - register_argc_argv = Off -; Disables registration of the somewhat redundant $argv and $argc global -; variables. -; - magic_quotes_gpc = Off -; Input data is no longer escaped with slashes so that it can be sent into -; SQL databases without further manipulation. Instead, you should use the -; function addslashes() on each input element you wish to send to a database. -; - variables_order = "GPCS" -; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access -; environment variables, you can use getenv() instead. - - -;;;;;;;;;;;;;;;;;;;; -; Language Options ; -;;;;;;;;;;;;;;;;;;;; - -engine = On ; Enable the PHP scripting language engine under Apache -short_open_tag = On ; allow the <? tag. otherwise, only <?php and <script> tags are recognized. -asp_tags = Off ; allow ASP-style <% %> tags -precision = 14 ; number of significant digits displayed in floating point numbers -y2k_compliance = Off ; whether to be year 2000 compliant (will cause problems with non y2k compliant browsers) -output_buffering = Off ; Output buffering allows you to send header lines (including cookies) - ; even after you send body content, in the price of slowing PHP's - ; output layer a bit. - ; You can enable output buffering by in runtime by calling the output - ; buffering functions, or enable output buffering for all files - ; by setting this directive to On. -output_handler = ; You can redirect all of the output of your scripts to a function, - ; that can be responsible to process or log it. For example, - ; if you set the output_handler to "ob_gzhandler", than output - ; will be transparently compressed for browsers that support gzip or - ; deflate encoding. Setting an output handler automatically turns on - ; output buffering. -zlib.output_compression = Off ; Transparent output compression using the zlib library - ; Valid values for this option are 'off', 'on', or a specific buffer size - ; to be used for compression (default is 4KB) - -implicit_flush = Off ; Implicit flush tells PHP to tell the output layer to flush itself - ; automatically after every output block. This is equivalent to - ; calling the PHP function flush() after each and every call to print() - ; or echo() and each and every HTML block. - ; Turning this option on has serious performance implications, and - ; is generally recommended for debugging purposes only. -allow_call_time_pass_reference = Off ; whether to enable the ability to force arguments to be - ; passed by reference at function-call time. This method - ; is deprecated, and is likely to be unsupported in future - ; versions of PHP/Zend. The encouraged method of specifying - ; which arguments should be passed by reference is in the - ; function declaration. You're encouraged to try and - ; turn this option Off, and make sure your scripts work - ; properly with it, to ensure they will work with future - ; versions of the language (you will receive a warning - ; each time you use this feature, and the argument will - ; be passed by value instead of by reference). - -; Safe Mode -safe_mode = Off -safe_mode_gid = Off ; By default, Safe Mode does a UID compare - ; check when opening files. If you want to - ; relax this to a GID compare, then turn on - ; safe_mode_gid. (safe_mode must be On) -safe_mode_include_dir = ; When safe_mode is on, UID/GID checks are - ; bypassed when including files from this - ; directory and its subdirectories. (directory - ; must also be in include_path or full path - ; must be used when including) -safe_mode_exec_dir = -safe_mode_allowed_env_vars = PHP_ ; Setting certain environment variables - ; may be a potential security breach. - ; This directive contains a comma-delimited - ; list of prefixes. In Safe Mode, the - ; user may only alter environment - ; variables whose names begin with the - ; prefixes supplied here. - ; By default, users will only be able - ; to set environment variables that begin - ; with PHP_ (e.g. PHP_FOO=BAR). - ; Note: If this directive is empty, PHP - ; will let the user modify ANY environment - ; variable! -safe_mode_protected_env_vars = LD_LIBRARY_PATH ; This directive contains a comma- - ; delimited list of environment variables, - ; that the end user won't be able to - ; change using putenv(). - ; These variables will be protected - ; even if safe_mode_allowed_env_vars is - ; set to allow to change them. - - -disable_functions = ; This directive allows you to disable certain - ; functions for security reasons. It receives - ; a comma separated list of function names. - ; This directive is *NOT* affected by whether - ; Safe Mode is turned on or off. - - -; Colors for Syntax Highlighting mode. Anything that's acceptable in <font color=???> would work. -highlight.string = #DD0000 -highlight.comment = #FF8000 -highlight.keyword = #007700 -highlight.bg = #FFFFFF -highlight.default = #0000BB -highlight.html = #000000 - -; Misc -expose_php = On ; Decides whether PHP may expose the fact that it is installed on the - ; server (e.g., by adding its signature to the Web server header). - ; It is no security threat in any way, but it makes it possible - ; to determine whether you use PHP on your server or not. - - - -;;;;;;;;;;;;;;;;;;; -; Resource Limits ; -;;;;;;;;;;;;;;;;;;; - -max_execution_time = 30 ; Maximum execution time of each script, in seconds -memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) - - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Error handling and logging ; -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; error_reporting is a bit-field. Or each number up to get desired error reporting level -; E_ALL - All errors and warnings -; E_ERROR - fatal run-time errors -; E_WARNING - run-time warnings (non fatal errors) -; E_PARSE - compile-time parse errors -; E_NOTICE - run-time notices (these are warnings which often result from a bug in -; your code, but it's possible that it was intentional (e.g., using an -; uninitialized variable and relying on the fact it's automatically -; initialized to an empty string) -; E_CORE_ERROR - fatal errors that occur during PHP's initial startup -; E_CORE_WARNING - warnings (non fatal errors) that occur during PHP's initial startup -; E_COMPILE_ERROR - fatal compile-time errors -; E_COMPILE_WARNING - compile-time warnings (non fatal errors) -; E_USER_ERROR - user-generated error message -; E_USER_WARNING - user-generated warning message -; E_USER_NOTICE - user-generated notice message -; Examples: -; error_reporting = E_ALL & ~E_NOTICE ; show all errors, except for notices -; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; show only errors -error_reporting = E_ALL & ~E_NOTICE ; Show all errors except for notices -display_errors = On ; Print out errors (as a part of the output) - ; For production web sites, you're strongly encouraged - ; to turn this feature off, and use error logging instead (see below). - ; Keeping display_errors enabled on a production web site may reveal - ; security information to end users, such as file paths on your Web server, - ; your database schema or other information. -display_startup_errors = Off ; Even when display_errors is on, errors that occur during - ; PHP's startup sequence are not displayed. It's strongly - ; recommended to keep display_startup_errors off, except for - ; when debugging. -log_errors = Off ; Log errors into a log file (server-specific log, stderr, or error_log (below)) - ; As stated above, you're strongly advised to use error logging in place of - ; error displaying on production web sites. -track_errors = Off ; Store the last error/warning message in $php_errormsg (boolean) -;error_prepend_string = "<font color=ff0000>" ; string to output before an error message -;error_append_string = "</font>" ; string to output after an error message -;error_log = filename ; log errors to specified file -;error_log = syslog ; log errors to syslog (Event Log on NT, not valid in Windows 95) -warn_plus_overloading = Off ; warn if the + operator is used with strings - - -;;;;;;;;;;;;;;;;; -; Data Handling ; -;;;;;;;;;;;;;;;;; - -;arg_separator.output = "&" ; The separator used in PHP generated URLs to separate arguments. - ; Default is "&". - -;arg_separator.input = ";&" ; List of separator(s) used by PHP to parse input URLs into variables. - ; Default is "&". - ; NOTE: Every character in this directive is considered as separator! - -variables_order = "GPCS" ; This directive describes the order in which PHP registers - ; GET, POST, Cookie, Environment and Built-in variables (G, P, - ; C, E & S respectively, often referred to as EGPCS or GPC). - ; Registration is done from left to right, newer values override - ; older values. -register_globals = Off ; Whether or not to register the EGPCS variables as global - ; variables. You may want to turn this off if you don't want - ; to clutter your scripts' global scope with user data. This makes - ; most sense when coupled with track_vars - in which case you can - ; access all of the GPC variables through the $HTTP_*_VARS[], - ; variables. -register_argc_argv = Off ; This directive tells PHP whether to declare the argv&argc - ; variables (that would contain the GET information). If you - ; don't use these variables, you should turn it off for - ; increased performance (you should try not to use it anyway, - ; for less likelihood of security bugs in your code). -post_max_size = 8M ; Maximum size of POST data that PHP will accept. -gpc_order = "GPC" ; This directive is deprecated. Use variables_order instead. - -; Magic quotes -magic_quotes_gpc = Off ; magic quotes for incoming GET/POST/Cookie data -magic_quotes_runtime= Off ; magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. -magic_quotes_sybase = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \') - -; automatically add files before or after any PHP document -auto_prepend_file = -auto_append_file = - -; As of 4.0b4, PHP always outputs a character encoding by default in -; the Content-type: header. To disable sending of the charset, simply -; set it to be empty. -; PHP's built-in default is text/html -default_mimetype = "text/html" -;default_charset = "iso-8859-1" - -;;;;;;;;;;;;;;;;;;;;;;;;; -; Paths and Directories ; -;;;;;;;;;;;;;;;;;;;;;;;;; -include_path = ; UNIX: "/path1:/path2" Windows: "\path1;\path2" -doc_root = ; the root of the php pages, used only if nonempty -user_dir = ; the directory under which php opens the script using /~username, used only if nonempty -extension_dir = ./ ; directory in which the loadable extensions (modules) reside -enable_dl = On ; Whether or not to enable the dl() function. - ; The dl() function does NOT properly work in multithreaded - ; servers, such as IIS or Zeus, and is automatically disabled - ; on them. - - -;;;;;;;;;;;;;;;; -; File Uploads ; -;;;;;;;;;;;;;;;; -file_uploads = On ; Whether to allow HTTP file uploads -;upload_tmp_dir = ; temporary directory for HTTP uploaded files (will use system default if not specified) -upload_max_filesize = 2M ; Maximum allowed size for uploaded files - - -;;;;;;;;;;;;;;;;;; -; Fopen wrappers ; -;;;;;;;;;;;;;;;;;; -allow_url_fopen = On ; Whether to allow the treatment of URLs (like http:// or ftp://) as files -;from="john@doe.com" ; Define the anonymous ftp password (your email address) - - -;;;;;;;;;;;;;;;;;;;;;; -; Dynamic Extensions ; -;;;;;;;;;;;;;;;;;;;;;; -; if you wish to have an extension loaded automatically, use the -; following syntax: extension=modulename.extension -; for example, on windows, -; extension=msql.dll -; or under UNIX, -; extension=msql.so -; Note that it should be the name of the module only, no directory information -; needs to go here. Specify the location of the extension with the extension_dir directive above. - - - -;Windows Extensions -;Note that MySQL and ODBC support is now built in, so no dll is needed for it. -; -;extension=php_bz2.dll -;extension=php_ctype.dll -;extension=php_cpdf.dll -;extension=php_curl.dll -;extension=php_cybercash.dll -;extension=php_db.dll -;extension=php_dba.dll -;extension=php_dbase.dll -;extension=php_dbx.dll -;extension=php_domxml.dll -;extension=php_dotnet.dll -;extension=php_exif.dll -;extension=php_fbsql.dll -;extension=php_fdf.dll -;extension=php_filepro.dll -;extension=php_gd.dll -;extension=php_gettext.dll -;extension=php_hyperwave.dll -;extension=php_iconv.dll -;extension=php_ifx.dll -;extension=php_iisfunc.dll -;extension=php_imap.dll -;extension=php_ingres.dll -;extension=php_interbase.dll -;extension=php_java.dll -;extension=php_ldap.dll -;extension=php_mbstring.dll -;extension=php_mcrypt.dll -;extension=php_mhash.dll -;extension=php_ming.dll -;extension=php_mssql.dll -;extension=php_oci8.dll -;extension=php_openssl.dll -;extension=php_oracle.dll -;extension=php_pdf.dll -;extension=php_pgsql.dll -;extension=php_printer.dll -;extension=php_sablot.dll -;extension=php_shmop.dll -;extension=php_snmp.dll -;extension=php_sockets.dll -;extension=php_sybase_ct.dll -;extension=php_xslt.dll -;extension=php_yaz.dll -;extension=php_zlib.dll - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; - -[Syslog] -define_syslog_variables = Off ; Whether or not to define the various syslog variables, - ; e.g. $LOG_PID, $LOG_CRON, etc. Turning it off is a - ; good idea performance-wise. In runtime, you can define - ; these variables by calling define_syslog_variables() - - -[mail function] -SMTP = localhost ;for win32 only -sendmail_from = me@localhost.com ;for win32 only -;sendmail_path = ;for unix only, may supply arguments as well (default is 'sendmail -t -i') - -[Debugger] -debugger.host = localhost -debugger.port = 7869 -debugger.enabled = False - -[Logging] -; These configuration directives are used by the example logging mechanism. -; See examples/README.logging for more explanation. -;logging.method = db -;logging.directory = /path/to/log/directory - -[Java] -;java.class.path = .\php_java.jar -;java.home = c:\jdk -;java.library = c:\jdk\jre\bin\hotspot\jvm.dll -;java.library.path = .\ - -[SQL] -sql.safe_mode = Off - -[ODBC] -;odbc.default_db = Not yet implemented -;odbc.default_user = Not yet implemented -;odbc.default_pw = Not yet implemented -odbc.allow_persistent = On ; allow or prevent persistent links -odbc.check_persistent = On ; check that a connection is still validbefore reuse -odbc.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -odbc.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -odbc.defaultlrl = 4096 ; Handling of LONG fields. Returns number of bytes to variables, 0 means passthru -odbc.defaultbinmode = 1 ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char -; See the documentation on odbc_binmode and odbc_longreadlen for an explanation of uodbc.defaultlrl -; and uodbc.defaultbinmode - -[MySQL] -mysql.allow_persistent = On ; allow or prevent persistent link -mysql.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -mysql.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -mysql.default_port = ; default port number for mysql_connect(). If unset, - ; mysql_connect() will use the $MYSQL_TCP_PORT, or the mysql-tcp - ; entry in /etc/services, or the compile-time defined MYSQL_PORT - ; (in that order). Win32 will only look at MYSQL_PORT. -mysql.default_socket = ; default socket name for local MySQL connects. If empty, uses the built-in - ; MySQL defaults -mysql.default_host = ; default host for mysql_connect() (doesn't apply in safe mode) -mysql.default_user = ; default user for mysql_connect() (doesn't apply in safe mode) -mysql.default_password = ; default password for mysql_connect() (doesn't apply in safe mode) - ; Note that this is generally a *bad* idea to store passwords - ; in this file. *Any* user with PHP access can run - ; 'echo cfg_get_var("mysql.default_password")' and reveal that - ; password! And of course, any users with read access to this - ; file will be able to reveal the password as well. - -[mSQL] -msql.allow_persistent = On ; allow or prevent persistent link -msql.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -msql.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit - -[PostgresSQL] -pgsql.allow_persistent = On ; allow or prevent persistent link -pgsql.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -pgsql.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit - -[Sybase] -sybase.allow_persistent = On ; allow or prevent persistent link -sybase.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -sybase.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -;sybase.interface_file = "/usr/sybase/interfaces" -sybase.min_error_severity = 10 ; minimum error severity to display -sybase.min_message_severity = 10 ; minimum message severity to display -sybase.compatability_mode = Off ; compatability mode with old versions of PHP 3.0. - ; If on, this will cause PHP to automatically assign types to results - ; according to their Sybase type, instead of treating them all as - ; strings. This compatability mode will probably not stay around - ; forever, so try applying whatever necessary changes to your code, - ; and turn it off. - -[Sybase-CT] -sybct.allow_persistent = On ; allow or prevent persistent link -sybct.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -sybct.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -sybct.min_server_severity = 10 ; minimum server message severity to display -sybct.min_client_severity = 10 ; minimum client message severity to display - -[bcmath] -bcmath.scale = 0 ; number of decimal digits for all bcmath functions - -[browscap] -;browscap = extra/browscap.ini - -[Informix] -ifx.default_host = ; default host for ifx_connect() (doesn't apply in safe mode) -ifx.default_user = ; default user for ifx_connect() (doesn't apply in safe mode) -ifx.default_password = ; default password for ifx_connect() (doesn't apply in safe mode) -ifx.allow_persistent = On ; allow or prevent persistent link -ifx.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -ifx.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -ifx.textasvarchar = 0 ; if set on, select statements return the contents of a text blob instead of it's id -ifx.byteasvarchar = 0 ; if set on, select statements return the contents of a byte blob instead of it's id -ifx.charasvarchar = 0 ; trailing blanks are stripped from fixed-length char columns. May help the life - ; of Informix SE users. -ifx.blobinfile = 0 ; if set on, the contents of text&byte blobs are dumped to a file instead of - ; keeping them in memory -ifx.nullformat = 0 ; NULL's are returned as empty strings, unless this is set to 1. In that case, - ; NULL's are returned as string 'NULL'. - -[Session] -session.save_handler = files ; handler used to store/retrieve data -session.save_path = /tmp ; argument passed to save_handler - ; in the case of files, this is the - ; path where data files are stored -session.use_cookies = 1 ; whether to use cookies -session.name = PHPSESSID - ; name of the session - ; is used as cookie name -session.auto_start = 0 ; initialize session on request startup -session.cookie_lifetime = 0 ; lifetime in seconds of cookie - ; or if 0, until browser is restarted -session.cookie_path = / ; the path the cookie is valid for -session.cookie_domain = ; the domain the cookie is valid for -session.serialize_handler = php ; handler used to serialize data - ; php is the standard serializer of PHP -session.gc_probability = 1 ; percentual probability that the - ; 'garbage collection' process is started - ; on every session initialization -session.gc_maxlifetime = 1440 ; after this number of seconds, stored - ; data will be seen as 'garbage' and - ; cleaned up by the gc process -session.referer_check = ; check HTTP Referer to invalidate - ; externally stored URLs containing ids -session.entropy_length = 0 ; how many bytes to read from the file -session.entropy_file = ; specified here to create the session id -; session.entropy_length = 16 -; session.entropy_file = /dev/urandom -session.cache_limiter = nocache ; set to {nocache,private,public} to - ; determine HTTP caching aspects -session.cache_expire = 180 ; document expires after n minutes -session.use_trans_sid = 1 ; use transient sid support if enabled - ; by compiling with --enable-trans-sid - -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" - -[MSSQL] -mssql.allow_persistent = On ; allow or prevent persistent link -mssql.max_persistent = -1 ; maximum number of persistent links. -1 means no limit -mssql.max_links = -1 ; maximum number of links (persistent+non persistent). -1 means no limit -mssql.min_error_severity = 10 ; minimum error severity to display -mssql.min_message_severity = 10 ; minimum message severity to display -mssql.compatability_mode = Off ; compatability mode with old versions of PHP 3.0. -;mssql.textlimit = 4096 ; valid range 0 - 2147483647 default = 4096 -;mssql.textsize = 4096 ; valid range 0 - 2147483647 default = 4096 -;mssql.batchsize = 0 ; limits the number of records in each batch. 0 = all records in one batch. - -[Assertion] -;assert.active = Off ; assert(expr); does nothing by default -;assert.warning = On ; issue a PHP warning for each failed assertion. -;assert.bail = Off ; don't bail out by default. -;assert.callback = 0 ; user-function to be called if an assertion fails. -;assert.quiet_eval = 0 ; eval the expression with current error_reporting(). set to true if you want error_reporting(0) around the eval(). - -[Ingres II] -ingres.allow_persistent = On ; allow or prevent persistent link -ingres.max_persistent = -1 ; maximum number of persistent links. (-1 means no limit) -ingres.max_links = -1 ; maximum number of links, including persistents (-1 means no limit) -ingres.default_database = ; default database (format : [node_id::]dbname[/srv_class] -ingres.default_user = ; default user -ingres.default_password = ; default password - -[Verisign Payflow Pro] -pfpro.defaulthost = "test.signio.com" ; default Signio server -pfpro.defaultport = 443 ; default port to connect to -pfpro.defaulttimeout = 30 ; default timeout in seconds - -; pfpro.proxyaddress = ; default proxy IP address (if required) -; pfpro.proxyport = ; default proxy port -; pfpro.proxylogon = ; default proxy logon -; pfpro.proxypassword = ; default proxy password - -[Sockets] -sockets.use_system_read = Off ; Use the system read() function instead of - ; the php_read() wrapper. -[com] -;com.allow_dcom = true ; allow Distributed-COM calls -;com.typelib_file = ; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs -;com.autoregister_typelib = true -;com.autoregister_casesensitive = false -;com.autoregister_verbose = true - -[Printer] -;printer.default_printer = "" - -[mbstring] -;mbstring.internal_encoding = EUC-JP -;mbstring.http_input = auto -;mbstring.http_output = SJIS -;mbstring.detect_order = auto -;mbstring.substitute_character = none; - -[FrontBase] -;fbsql.allow_persistant = On -;fbsql.autocommit = On -;fbsql.default_database = -;fbsql.default_database_password = -;fbsql.default_host = -;fbsql.default_password = -;fbsql.default_user = "_SYSTEM" -;fbsql.generate_warnings = Off -;fbsql.max_connections = 128 -;fbsql.max_links = 128 -;fbsql.max_persistent = -1 -;fbsql.max_results = 128 -;fbsql.mbatchSize = 1000 - -; Local Variables: -; tab-width: 4 -; End: diff --git a/php.ini-recommended b/php.ini-recommended index c627b47e66..1e40d06e06 100644 --- a/php.ini-recommended +++ b/php.ini-recommended @@ -4,7 +4,11 @@ ; About this file ; ;;;;;;;;;;;;;;;;;;; ; -; This is the 'optimized', PHP 4-style version of the php.ini-dist file. +; This is the recommended, PHP 4-style version of the php.ini-dist file. It +; sets some non standard settings, that make PHP more efficient and more secure. +; The price is that with these settings, PHP may be incompatible with some +; applications. Using this file is warmly recommended for production sites. +; ; For general information about the php.ini file, please consult the php.ini-dist ; file, included in your PHP distribution. ; @@ -14,26 +18,44 @@ ; PHP 3. Please make sure you read what's different, and modify your scripts ; accordingly, if you decide to use this file instead. ; -; - allow_call_time_pass_reference = Off -; It's not possible to decide to force a variable to be passed by reference -; when calling a function. The PHP 4 style to do this is by making the -; function require the relevant argument by reference. -; - register_globals = Off +; - register_globals = Off [Security, Performance] ; Global variables are no longer registered for input data (POST, GET, cookies, ; environment and other server variables). Instead of using $foo, you must use -; $HTTP_POST_VARS["foo"], $HTTP_GET_VARS["foo"], $HTTP_COOKIE_VARS["foo"], -; $HTTP_ENV_VARS["foo"] or $HTTP_SERVER_VARS["foo"], depending on which kind -; of input source you're expecting 'foo' to come from. -; - register_argc_argv = Off +; you can use $_REQUEST["foo"] (includes any variable that arrives through the +; request, namely, POST, GET and cookie variables), or use one of the specific +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending +; on where the input originates. +; Note that register_globals is going to be depracated (i.e., turned off by +; default) in the next version of PHP, because it often leads to security bugs. +; Read http://php.net/manual/en/security.registerglobals.php for further +; information. +; - display_errors = Off [Security] +; With this directive set to off, errors that occur during the execution of +; scripts will no longer be displayed as a part of the script output, and thus, +; will no longer be exposed to remote users. With some errors, the error message +; content may expose information about your script, web server, or database +; server that may be exploitable for hacking. Production sites should have this +; directive set to off. +; - log_errors = On [Security] +; This directive complements the above one. Any errors that occur during the +; execution of your script will be logged (typically, to your server's error log, +; but can be configured in several ways). Along with setting display_errors to off, +; this setup gives you the ability to fully understand what may have gone wrong, +; without exposing any sensitive information to remote users. +; - register_argc_argv = Off [Performance] ; Disables registration of the somewhat redundant $argv and $argc global ; variables. -; - magic_quotes_gpc = Off +; - magic_quotes_gpc = Off [Performance] ; Input data is no longer escaped with slashes so that it can be sent into ; SQL databases without further manipulation. Instead, you should use the ; function addslashes() on each input element you wish to send to a database. -; - variables_order = "GPCS" +; - variables_order = "GPCS" [Performance] ; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access ; environment variables, you can use getenv() instead. +; - allow_call_time_pass_reference = Off [Code cleanliness] +; It's not possible to decide to force a variable to be passed by reference +; when calling a function. The PHP 4 style to do this is by making the +; function require the relevant argument by reference. ;;;;;;;;;;;;;;;;;;;; @@ -167,7 +189,7 @@ memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) ; error_reporting = E_ALL & ~E_NOTICE ; show all errors, except for notices ; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; show only errors error_reporting = E_ALL & ~E_NOTICE ; Show all errors except for notices -display_errors = On ; Print out errors (as a part of the output) +display_errors = Off ; Print out errors (as a part of the output) ; For production web sites, you're strongly encouraged ; to turn this feature off, and use error logging instead (see below). ; Keeping display_errors enabled on a production web site may reveal @@ -177,7 +199,7 @@ display_startup_errors = Off ; Even when display_errors is on, errors that occu ; PHP's startup sequence are not displayed. It's strongly ; recommended to keep display_startup_errors off, except for ; when debugging. -log_errors = Off ; Log errors into a log file (server-specific log, stderr, or error_log (below)) +log_errors = On ; Log errors into a log file (server-specific log, stderr, or error_log (below)) ; As stated above, you're strongly advised to use error logging in place of ; error displaying on production web sites. track_errors = Off ; Store the last error/warning message in $php_errormsg (boolean) |