-@@ -54,12 +60,70 @@
- ; If you use constants in your value, and these constants belong to a
- ; dynamically loaded extension (either a PHP extension or a Zend extension),
- ; you may only use these constants *after* the line that loads the extension.
--;
--; All the values in the php.ini-dist file correspond to the builtin
--; defaults (that is, if no php.ini is used, or if you delete these lines,
--; the builtin defaults will be identical).
-
-
-+; Below is the list of settings changed from default as specified in
-+; php.ini-recommended. These settings make PHP more secure and encourage
-+; cleaner coding.
-+; The price is that with these settings, PHP may be incompatible with some old
-+; or bad-written applications, and sometimes, more difficult to develop with.
-+; Using this settings is warmly recommended for production sites. As all of
-+; the changes from the standard settings are thoroughly documented, you can
-+; go over each one, and decide whether you want to use it or not.
-+;
-+; - register_globals = Off [Security, Performance]
-+; Global variables are no longer registered for input data (POST, GET, cookies,
-+; environment and other server variables). Instead of using $foo, you must use
-+; you can use $_REQUEST["foo"] (includes any variable that arrives through the
-+; request, namely, POST, GET and cookie variables), or use one of the specific
-+; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
-+; on where the input originates. Also, you can look at the
-+; import_request_variables() function.
-+; Note that register_globals = Off is the default setting since PHP 4.2.0.
-+; - display_errors = Off [Security]
-+; With this directive set to off, errors that occur during the execution of
-+; scripts will no longer be displayed as a part of the script output, and thus,
-+; will no longer be exposed to remote users. With some errors, the error message
-+; content may expose information about your script, web server, or database
-+; server that may be exploitable for hacking. Production sites should have this
-+; directive set to off.
-+; - log_errors = On [Security]
-+; This directive complements the above one. Any errors that occur during the
-+; execution of your script will be logged (typically, to your server's error log,
-+; but can be configured in several ways). Along with setting display_errors to off,
-+; this setup gives you the ability to fully understand what may have gone wrong,
-+; without exposing any sensitive information to remote users.
-+; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
-+; By default, PHP surpresses errors of type E_NOTICE. These error messages
-+; are emitted for non-critical errors, but that could be a symptom of a bigger
-+; problem. Most notably, this will cause error messages about the use
-+; of uninitialized variables to be displayed.
-+
-+; For completeness, below is list of the rest of changes recommended for
-+; performance, but NOT applied in default php.ini in PLD (since they are
-+; not needed for security or may cause problems with some applications
-+; more likely than above).
-+
-+; - output_buffering = 4096 [Performance]
-+; Set a 4KB output buffer. Enabling output buffering typically results in less
-+; writes, and sometimes less packets sent on the wire, which can often lead to
-+; better performance. The gain this directive actually yields greatly depends
-+; on which Web server you're working with, and what kind of scripts you're using.
-+; - register_argc_argv = Off [Performance]
-+; Disables registration of the somewhat redundant $argv and $argc global
-+; variables.
-+; - magic_quotes_gpc = Off [Performance]
-+; Input data is no longer escaped with slashes so that it can be sent into
-+; SQL databases without further manipulation. Instead, you should use the
-+; function addslashes() on each input element you wish to send to a database.
-+; - variables_order = "GPCS" [Performance]
-+; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
-+; environment variables, you can use getenv() instead.
-+; - allow_call_time_pass_reference = Off [Code cleanliness]
-+; It's not possible to decide to force a variable to be passed by reference
-+; when calling a function. The PHP 4 style to do this is by making the
-+; function require the relevant argument by reference.
-+
- ;;;;;;;;;;;;;;;;;;;;
- ; Language Options ;
- ;;;;;;;;;;;;;;;;;;;;
-@@ -79,7 +143,7 @@
- asp_tags = Off