-diff -urN php-4.2.2/php.ini php-4.2.2.orig/php.ini
---- php-4.2.2/php.ini Thu Aug 1 11:15:29 2002
-+++ php-4.2.2.orig/php.ini Thu Aug 1 11:07:28 2002
-@@ -74,7 +74,7 @@
+diff -burN php-5.0.0b3/php.ini-dist php-5.0.0b3-php.ini/php.ini-dist
+--- php-5.0.0b3/php.ini-dist 2003-12-18 03:06:00.000000000 +0100
++++ php-5.0.0b3-php.ini/php.ini 2003-12-27 00:29:41.000000000 +0100
+@@ -3,13 +3,18 @@
+ ;;;;;;;;;;;
+ ; WARNING ;
+ ;;;;;;;;;;;
+-; This is the default settings file for new PHP installations.
+-; By default, PHP installs itself with a configuration suitable for
+-; development purposes, and *NOT* for production purposes.
+-; For several security-oriented considerations that should be taken
+-; before going online with your site, please consult php.ini-recommended
+-; and http://php.net/manual/en/security.php.
+-
++; This is the default settings file for new PHP installations from
++; PLD Linux Distribution.
++; It's based mainly on php.ini-dist, but with some changes made with
++; security in mind (see below, consult also
++; http://php.net/manual/en/security.php).
++;
++; Please note, that in PLD installations /etc/php/php.ini file
++; contains global settings for all SAPIs (cgi, cli, apache...),
++; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
++; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
++; (so you don't have to duplicate whole large file to override only
++; few options)
+
+ ;;;;;;;;;;;;;;;;;;;
+ ; About this file ;
+@@ -54,10 +59,69 @@
+ ; If you use constants in your value, and these constants belong to a
+ ; dynamically loaded extension (either a PHP extension or a Zend extension),
+ ; you may only use these constants *after* the line that loads the extension.
+-;
+-; All the values in the php.ini-dist file correspond to the builtin
+-; defaults (that is, if no php.ini is used, or if you delete these lines,
+-; the builtin defaults will be identical).
++
++
++; Below is the list of settings changed from default as specified in
++; php.ini-recommended. These settings make PHP more secure and encourage
++; cleaner coding.
++; The price is that with these settings, PHP may be incompatible with some old
++; or bad-written applications, and sometimes, more difficult to develop with.
++; Using this settings is warmly recommended for production sites. As all of
++; the changes from the standard settings are thoroughly documented, you can
++; go over each one, and decide whether you want to use it or not.
++;
++; - register_globals = Off [Security, Performance]
++; Global variables are no longer registered for input data (POST, GET, cookies,
++; environment and other server variables). Instead of using $foo, you must use
++; you can use $_REQUEST["foo"] (includes any variable that arrives through the
++; request, namely, POST, GET and cookie variables), or use one of the specific
++; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
++; on where the input originates. Also, you can look at the
++; import_request_variables() function.
++; Note that register_globals = Off is the default setting since PHP 4.2.0.
++; - display_errors = Off [Security]
++; With this directive set to off, errors that occur during the execution of
++; scripts will no longer be displayed as a part of the script output, and thus,
++; will no longer be exposed to remote users. With some errors, the error message
++; content may expose information about your script, web server, or database
++; server that may be exploitable for hacking. Production sites should have this
++; directive set to off.
++; - log_errors = On [Security]
++; This directive complements the above one. Any errors that occur during the
++; execution of your script will be logged (typically, to your server's error log,
++; but can be configured in several ways). Along with setting display_errors to off,
++; this setup gives you the ability to fully understand what may have gone wrong,
++; without exposing any sensitive information to remote users.
++; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
++; By default, PHP surpresses errors of type E_NOTICE. These error messages
++; are emitted for non-critical errors, but that could be a symptom of a bigger
++; problem. Most notably, this will cause error messages about the use
++; of uninitialized variables to be displayed.
++
++; For completeness, below is list of the rest of changes recommended for
++; performance, but NOT applied in default php.ini in PLD (since they are
++; not needed for security or may cause problems with some applications
++; more likely than above).
++
++; - output_buffering = 4096 [Performance]
++; Set a 4KB output buffer. Enabling output buffering typically results in less
++; writes, and sometimes less packets sent on the wire, which can often lead to
++; better performance. The gain this directive actually yields greatly depends
++; on which Web server you're working with, and what kind of scripts you're using.
++; - register_argc_argv = Off [Performance]
++; Disables registration of the somewhat redundant $argv and $argc global
++; variables.
++; - magic_quotes_gpc = Off [Performance]
++; Input data is no longer escaped with slashes so that it can be sent into
++; SQL databases without further manipulation. Instead, you should use the
++; function addslashes() on each input element you wish to send to a database.
++; - variables_order = "GPCS" [Performance]
++; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
++; environment variables, you can use getenv() instead.
++; - allow_call_time_pass_reference = Off [Code cleanliness]
++; It's not possible to decide to force a variable to be passed by reference
++; when calling a function. The PHP 4 style to do this is by making the
++; function require the relevant argument by reference.
+
+
+ ;;;;;;;;;;;;;;;;;;;;
+@@ -79,7 +143,7 @@
asp_tags = Off
; The number of significant digits displayed in floating point numbers.
--precision = 14
-+precision = 12
+-precision = 12
++precision = 14
; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
- y2k_compliance = Off
-@@ -371,7 +371,7 @@
+ y2k_compliance = On
+@@ -270,14 +334,14 @@
+ ;
+ ; - Show all errors except for notices and coding standards warnings
+ ;
+-error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
++error_reporting = E_ALL
+
+ ; Print out errors (as a part of the output). For production web sites,
+ ; you're strongly encouraged to turn this feature off, and use error logging
+ ; instead (see below). Keeping display_errors enabled on a production web site
+ ; may reveal security information to end users, such as file paths on your Web
+ ; server, your database schema or other information.
+-display_errors = On
++display_errors = Off
+
+ ; Even when display_errors is on, errors that occur during PHP's startup
+ ; sequence are not displayed. It's strongly recommended to keep
+@@ -435,7 +499,7 @@
user_dir =
; Directory in which the loadable extensions (modules) reside.
--extension_dir = /usr/lib/php
-+extension_dir = ./
+-extension_dir = "./"
++extension_dir = "/usr/lib/php"
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -692,7 +692,7 @@
- ; Argument passed to save_handler. In the case of files, this is the path
- ; where data files are stored. Note: Windows users have to change this
- ; variable in order to use PHP's session functions.
--session.save_path = /var/run/php
-+session.save_path = /tmp
-
- ; Whether to use cookies.
- session.use_cookies = 1