1 --- php-5.2.0/php.ini 2006-11-03 01:27:56.372110952 +0200
2 +++ php-5.2.0/php.ini 2006-11-03 01:30:12.215164639 +0200
7 -; This is the default settings file for new PHP installations.
8 -; By default, PHP installs itself with a configuration suitable for
9 -; development purposes, and *NOT* for production purposes.
10 -; For several security-oriented considerations that should be taken
11 -; before going online with your site, please consult php.ini-recommended
12 -; and http://php.net/manual/en/security.php.
14 +; This is the default settings file for new PHP installations from
15 +; PLD Linux Distribution.
16 +; It's based mainly on php.ini-dist, but with some changes made with
17 +; security in mind (see below, consult also
18 +; http://php.net/manual/en/security.php).
20 +; Please note, that in PLD installations /etc/php/php.ini file
21 +; contains global settings for all SAPIs (cgi, cli, apache...),
22 +; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
23 +; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
24 +; (so you don't have to duplicate whole large file to override only
32 -; All the values in the php.ini-dist file correspond to the builtin
33 -; defaults (that is, if no php.ini is used, or if you delete these lines,
34 -; the builtin defaults will be identical).
35 +; If you use constants in your value, and these constants belong to a
36 +; dynamically loaded extension (either a PHP extension or a Zend extension),
37 +; you may only use these constants *after* the line that loads the extension.
40 +; Below is the list of settings changed from default as specified in
41 +; php.ini-recommended. These settings make PHP more secure and encourage
43 +; The price is that with these settings, PHP may be incompatible with some old
44 +; or bad-written applications, and sometimes, more difficult to develop with.
45 +; Using this settings is warmly recommended for production sites. As all of
46 +; the changes from the standard settings are thoroughly documented, you can
47 +; go over each one, and decide whether you want to use it or not.
49 +; - register_globals = Off [Security, Performance]
50 +; Global variables are no longer registered for input data (POST, GET, cookies,
51 +; environment and other server variables). Instead of using $foo, you must use
52 +; you can use $_REQUEST["foo"] (includes any variable that arrives through the
53 +; request, namely, POST, GET and cookie variables), or use one of the specific
54 +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
55 +; on where the input originates. Also, you can look at the
56 +; import_request_variables() function.
57 +; Note that register_globals = Off is the default setting since PHP 4.2.0.
58 +; - display_errors = Off [Security]
59 +; With this directive set to off, errors that occur during the execution of
60 +; scripts will no longer be displayed as a part of the script output, and thus,
61 +; will no longer be exposed to remote users. With some errors, the error message
62 +; content may expose information about your script, web server, or database
63 +; server that may be exploitable for hacking. Production sites should have this
64 +; directive set to off.
65 +; - log_errors = On [Security]
66 +; This directive complements the above one. Any errors that occur during the
67 +; execution of your script will be logged (typically, to your server's error log,
68 +; but can be configured in several ways). Along with setting display_errors to off,
69 +; this setup gives you the ability to fully understand what may have gone wrong,
70 +; without exposing any sensitive information to remote users.
71 +; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
72 +; By default, PHP surpresses errors of type E_NOTICE. These error messages
73 +; are emitted for non-critical errors, but that could be a symptom of a bigger
74 +; problem. Most notably, this will cause error messages about the use
75 +; of uninitialized variables to be displayed.
76 +; - register_argc_argv = Off [Performance]
77 +; Disables registration of the somewhat redundant $argv and $argc global
79 +; - magic_quotes_gpc = Off [Performance]
80 +; Input data is no longer escaped with slashes so that it can be sent into
81 +; SQL databases without further manipulation. Instead, you should use the
82 +; function addslashes() on each input element you wish to send to a database.
83 +; - variables_order = "GPCS" [Performance]
84 +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
85 +; environment variables, you can use getenv() instead.
87 +; For completeness, below is list of the rest of changes recommended for
88 +; performance, but NOT applied in default php.ini in PLD (since they are
89 +; not needed for security or may cause problems with some applications
90 +; more likely than above).
92 +; - output_buffering = 4096 [Performance]
93 +; Set a 4KB output buffer. Enabling output buffering typically results in less
94 +; writes, and sometimes less packets sent on the wire, which can often lead to
95 +; better performance. The gain this directive actually yields greatly depends
96 +; on which Web server you're working with, and what kind of scripts you're using.
97 +; - allow_call_time_pass_reference = Off [Code cleanliness]
98 +; It's not possible to decide to force a variable to be passed by reference
99 +; when calling a function. The PHP 4 style to do this is by making the
100 +; function require the relevant argument by reference.
107 ; The number of significant digits displayed in floating point numbers.
111 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
114 ; (e.g. by adding its signature to the Web server header). It is no security
115 ; threat in any way, but it makes it possible to determine whether you use PHP
116 ; on your server or not.
123 ; Log errors into a log file (server-specific log, stderr, or error_log (below))
124 ; As stated above, you're strongly advised to use error logging in place of
125 ; error displaying on production web sites.
129 ; Set maximum length of log_errors. In error_log information about the source is
130 ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
133 ; Disable the inclusion of HTML tags in error messages.
134 ; Note: Never use this feature for production boxes.
138 ; If html_errors is set On PHP produces clickable error messages that direct
139 ; to a page describing the error or function causing the error in detail.
141 ; Environment and Built-in variables (G, P, C, E & S respectively, often
142 ; referred to as EGPCS or GPC). Registration is done from left to right, newer
143 ; values override older values.
144 -variables_order = "EGPCS"
145 +variables_order = "GPCS"
147 ; Whether or not to register the EGPCS variables as global variables. You may
148 ; want to turn this off if you don't want to clutter your scripts' global scope
149 @@ -405,12 +474,12 @@
150 ; Whether or not to register the old-style input arrays, HTTP_GET_VARS
151 ; and friends. If you're not using them, it's recommended to turn them off,
152 ; for performance reasons.
153 -register_long_arrays = On
154 +register_long_arrays = Off
156 ; This directive tells PHP whether to declare the argv&argc variables (that
157 ; would contain the GET information). If you don't use these variables, you
158 ; should turn it off for increased performance.
159 -register_argc_argv = On
160 +register_argc_argv = Off
162 ; When enabled, the SERVER and ENV variables are created when they're first
163 ; used (Just In Time) instead of when the script starts. If these variables
167 ; Magic quotes for incoming GET/POST/Cookie data.
168 -magic_quotes_gpc = On
169 +magic_quotes_gpc = Off
171 ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
172 magic_quotes_runtime = Off
176 ; Directory in which the loadable extensions (modules) reside.
177 -extension_dir = "./"
178 +extension_dir = "/usr/lib/php"
180 ; Whether or not to enable the dl() function. The dl() function does NOT work
181 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
183 ; needs to go here. Specify the location of the extension with the
184 ; extension_dir directive above.
187 -; Windows Extensions
188 -; Note that ODBC support is built in, so no dll is needed for it.
189 -; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
190 -; extension folders as well as the separate PECL DLL download (PHP 5).
191 -; Be sure to appropriately set the extension_dir directive.
193 -;extension=php_bz2.dll
194 -;extension=php_curl.dll
195 -;extension=php_dba.dll
196 -;extension=php_dbase.dll
197 -;extension=php_exif.dll
198 -;extension=php_fdf.dll
199 -;extension=php_gd2.dll
200 -;extension=php_gettext.dll
201 -;extension=php_gmp.dll
202 -;extension=php_ifx.dll
203 -;extension=php_imap.dll
204 -;extension=php_interbase.dll
205 -;extension=php_ldap.dll
206 -;extension=php_mbstring.dll
207 -;extension=php_mcrypt.dll
208 -;extension=php_mhash.dll
209 -;extension=php_mime_magic.dll
210 -;extension=php_ming.dll
211 -;extension=php_msql.dll
212 -;extension=php_mssql.dll
213 -;extension=php_mysql.dll
214 -;extension=php_mysqli.dll
215 -;extension=php_oci8.dll
216 -;extension=php_openssl.dll
217 -;extension=php_pdo.dll
218 -;extension=php_pdo_firebird.dll
219 -;extension=php_pdo_mssql.dll
220 -;extension=php_pdo_mysql.dll
221 -;extension=php_pdo_oci.dll
222 -;extension=php_pdo_oci8.dll
223 -;extension=php_pdo_odbc.dll
224 -;extension=php_pdo_pgsql.dll
225 -;extension=php_pdo_sqlite.dll
226 -;extension=php_pgsql.dll
227 -;extension=php_pspell.dll
228 -;extension=php_shmop.dll
229 -;extension=php_snmp.dll
230 -;extension=php_soap.dll
231 -;extension=php_sockets.dll
232 -;extension=php_sqlite.dll
233 -;extension=php_sybase_ct.dll
234 -;extension=php_tidy.dll
235 -;extension=php_xmlrpc.dll
236 -;extension=php_xsl.dll
237 -;extension=php_zip.dll
246 -;browscap = extra/browscap.ini
247 +browscap = /etc/php/browscap.ini
250 ; Default host for ifx_connect() (doesn't apply in safe mode).
251 @@ -1205,7 +1232,7 @@
252 ; Enables or disables WSDL caching feature.
253 soap.wsdl_cache_enabled=1
254 ; Sets the directory name where SOAP extension will put cache files.
255 -soap.wsdl_cache_dir="/tmp"
256 +soap.wsdl_cache_dir="/var/run/php"
257 ; (time to live) Sets the number of second while cached file will be used
258 ; instead of original one.
259 soap.wsdl_cache_ttl=86400
260 --- php-5.2.4/php.ini~ 2007-08-31 19:31:20.000000000 +0300
261 +++ php-5.2.4/php.ini 2007-08-31 19:34:05.889031779 +0300
264 ; - Show all errors except for notices and coding standards warnings
266 -error_reporting = E_ALL & ~E_NOTICE
267 +;error_reporting = E_ALL & ~E_NOTICE
269 +error_reporting = E_ALL
271 ; Print out errors (as a part of the output). For production web sites,
272 ; you're strongly encouraged to turn this feature off, and use error logging
275 ; stdout (On) - Display errors to STDOUT
278 +display_errors = Off
280 ; Even when display_errors is on, errors that occur during PHP's startup
281 ; sequence are not displayed. It's strongly recommended to keep
282 --- php-5.2.4/php.ini~ 2007-09-05 19:34:32.000000000 +0300
283 +++ php-5.2.4/php.ini 2007-09-05 19:34:34.110706458 +0300
288 -; cgi.force_redirect is necessary to provide security running PHP as a CGI under
289 -; most web servers. Left undefined, PHP turns this on by default. You can
290 -; turn it off here AT YOUR OWN RISK
291 -; **You CAN safely turn this off for IIS, in fact, you MUST.**
292 -; cgi.force_redirect = 1
294 -; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
298 -; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
299 -; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
300 -; will look for to know it is OK to continue execution. Setting this variable MAY
301 -; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
302 -; cgi.redirect_status_env = ;
304 -; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
305 -; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
306 -; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
307 -; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting
308 -; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
309 -; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
310 -; cgi.fix_pathinfo=0
312 -; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
313 -; security tokens of the calling client. This allows IIS to define the
314 -; security context that the request runs under. mod_fastcgi under Apache
315 -; does not currently support this feature (03/17/2002)
316 -; Set to 1 if running under IIS. Default is zero.
317 -; fastcgi.impersonate = 1;
319 -; Disable logging through FastCGI connection
320 -; fastcgi.logging = 0
322 -; cgi.rfc2616_headers configuration option tells PHP what type of headers to
323 -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
324 -; is supported by Apache. When this option is set to 1 PHP will send
325 -; RFC2616 compliant header.
327 -;cgi.rfc2616_headers = 0