]>
Commit | Line | Data |
---|---|---|
84a06529 | 1 | --- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002 |
2 | +++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003 | |
3 | @@ -3,12 +3,18 @@ | |
4 | ;;;;;;;;;;; | |
5 | ; WARNING ; | |
6 | ;;;;;;;;;;; | |
7 | -; This is the default settings file for new PHP installations. | |
8 | -; By default, PHP installs itself with a configuration suitable for | |
9 | -; development purposes, and *NOT* for production purposes. | |
10 | -; For several security-oriented considerations that should be taken | |
11 | -; before going online with your site, please consult php.ini-recommended | |
12 | -; and http://php.net/manual/en/security.php. | |
13 | +; This is the default settings file for new PHP installations from | |
14 | +; PLD Linux Distribution. | |
15 | +; It's based mainly on php.ini-dist, but with some changes made with | |
16 | +; security in mind (see below, consult also | |
17 | +; http://php.net/manual/en/security.php). | |
18 | +; | |
19 | +; Please note, that in PLD installations, /etc/php/php.ini file | |
20 | +; contains GLOBAL settings for all SAPIs (cgi, cli, apache...), | |
21 | +; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini, | |
22 | +; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED | |
23 | +; (so you don't need to duplicate whole large file to override only | |
24 | +; few options). | |
25 | ||
26 | ||
27 | ;;;;;;;;;;;;;;;;;;; | |
28 | @@ -54,12 +60,70 @@ | |
29 | ; If you use constants in your value, and these constants belong to a | |
30 | ; dynamically loaded extension (either a PHP extension or a Zend extension), | |
31 | ; you may only use these constants *after* the line that loads the extension. | |
32 | -; | |
33 | -; All the values in the php.ini-dist file correspond to the builtin | |
34 | -; defaults (that is, if no php.ini is used, or if you delete these lines, | |
35 | -; the builtin defaults will be identical). | |
36 | ||
37 | ||
38 | +; Below is the list of settings changed from default as specified in | |
39 | +; php.ini-recommended. These settings make PHP more secure and encourage | |
40 | +; cleaner coding. | |
41 | +; The price is that with these settings, PHP may be incompatible with some old | |
42 | +; or bad-written applications, and sometimes, more difficult to develop with. | |
43 | +; Using this settings is warmly recommended for production sites. As all of | |
44 | +; the changes from the standard settings are thoroughly documented, you can | |
45 | +; go over each one, and decide whether you want to use it or not. | |
46 | +; | |
47 | +; - register_globals = Off [Security, Performance] | |
48 | +; Global variables are no longer registered for input data (POST, GET, cookies, | |
49 | +; environment and other server variables). Instead of using $foo, you must use | |
50 | +; you can use $_REQUEST["foo"] (includes any variable that arrives through the | |
51 | +; request, namely, POST, GET and cookie variables), or use one of the specific | |
52 | +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending | |
53 | +; on where the input originates. Also, you can look at the | |
54 | +; import_request_variables() function. | |
55 | +; Note that register_globals = Off is the default setting since PHP 4.2.0. | |
56 | +; - display_errors = Off [Security] | |
57 | +; With this directive set to off, errors that occur during the execution of | |
58 | +; scripts will no longer be displayed as a part of the script output, and thus, | |
59 | +; will no longer be exposed to remote users. With some errors, the error message | |
60 | +; content may expose information about your script, web server, or database | |
61 | +; server that may be exploitable for hacking. Production sites should have this | |
62 | +; directive set to off. | |
63 | +; - log_errors = On [Security] | |
64 | +; This directive complements the above one. Any errors that occur during the | |
65 | +; execution of your script will be logged (typically, to your server's error log, | |
66 | +; but can be configured in several ways). Along with setting display_errors to off, | |
67 | +; this setup gives you the ability to fully understand what may have gone wrong, | |
68 | +; without exposing any sensitive information to remote users. | |
69 | +; - error_reporting = E_ALL [Code Cleanliness, Security(?)] | |
70 | +; By default, PHP surpresses errors of type E_NOTICE. These error messages | |
71 | +; are emitted for non-critical errors, but that could be a symptom of a bigger | |
72 | +; problem. Most notably, this will cause error messages about the use | |
73 | +; of uninitialized variables to be displayed. | |
74 | + | |
75 | +; For completeness, below is list of the rest of changes recommended for | |
76 | +; performance, but NOT applied in default php.ini in PLD (since they are | |
77 | +; not needed for security or may cause problems with some applications | |
78 | +; more likely than above). | |
79 | + | |
80 | +; - output_buffering = 4096 [Performance] | |
81 | +; Set a 4KB output buffer. Enabling output buffering typically results in less | |
82 | +; writes, and sometimes less packets sent on the wire, which can often lead to | |
83 | +; better performance. The gain this directive actually yields greatly depends | |
84 | +; on which Web server you're working with, and what kind of scripts you're using. | |
85 | +; - register_argc_argv = Off [Performance] | |
86 | +; Disables registration of the somewhat redundant $argv and $argc global | |
87 | +; variables. | |
88 | +; - magic_quotes_gpc = Off [Performance] | |
89 | +; Input data is no longer escaped with slashes so that it can be sent into | |
90 | +; SQL databases without further manipulation. Instead, you should use the | |
91 | +; function addslashes() on each input element you wish to send to a database. | |
92 | +; - variables_order = "GPCS" [Performance] | |
93 | +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access | |
94 | +; environment variables, you can use getenv() instead. | |
95 | +; - allow_call_time_pass_reference = Off [Code cleanliness] | |
96 | +; It's not possible to decide to force a variable to be passed by reference | |
97 | +; when calling a function. The PHP 4 style to do this is by making the | |
98 | +; function require the relevant argument by reference. | |
99 | + | |
100 | ;;;;;;;;;;;;;;;;;;;; | |
101 | ; Language Options ; | |
102 | ;;;;;;;;;;;;;;;;;;;; | |
103 | @@ -79,7 +143,7 @@ | |
104 | asp_tags = Off | |
105 | ||
106 | ; The number of significant digits displayed in floating point numbers. | |
107 | -precision = 12 | |
108 | +precision = 14 | |
109 | ||
110 | ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) | |
111 | y2k_compliance = On | |
112 | @@ -255,16 +319,16 @@ | |
113 | ; | |
114 | ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR | |
115 | ; | |
116 | -; - Show all errors except for notices | |
117 | +; - Show all errors | |
118 | ; | |
119 | -error_reporting = E_ALL & ~E_NOTICE | |
120 | +error_reporting = E_ALL | |
121 | ||
122 | ; Print out errors (as a part of the output). For production web sites, | |
123 | ; you're strongly encouraged to turn this feature off, and use error logging | |
124 | ; instead (see below). Keeping display_errors enabled on a production web site | |
125 | ; may reveal security information to end users, such as file paths on your Web | |
126 | ; server, your database schema or other information. | |
127 | -display_errors = On | |
128 | +display_errors = Off | |
129 | ||
130 | ; Even when display_errors is on, errors that occur during PHP's startup | |
131 | ; sequence are not displayed. It's strongly recommended to keep | |
132 | @@ -274,7 +338,7 @@ | |
133 | ; Log errors into a log file (server-specific log, stderr, or error_log (below)) | |
134 | ; As stated above, you're strongly advised to use error logging in place of | |
135 | ; error displaying on production web sites. | |
136 | -log_errors = Off | |
137 | +log_errors = On | |
138 | ||
139 | ; Set maximum length of log_errors. In error_log information about the source is | |
140 | ; added. The default is 1024 and 0 allows to not apply any maximum length at all. | |
141 | @@ -420,7 +484,7 @@ | |
142 | user_dir = | |
143 | ||
144 | ; Directory in which the loadable extensions (modules) reside. | |
145 | -extension_dir = "./" | |
146 | +extension_dir = "/usr/lib/php" | |
147 | ||
148 | ; Whether or not to enable the dl() function. The dl() function does NOT work | |
149 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically | |
150 | @@ -587,10 +651,10 @@ | |
151 | ;sendmail_path = | |
152 | ||
153 | [Java] | |
154 | -;java.class.path = .\php_java.jar | |
155 | -;java.home = c:\jdk | |
156 | -;java.library = c:\jdk\jre\bin\hotspot\jvm.dll | |
157 | -;java.library.path = .\ | |
158 | +java.class.path = /usr/lib/php/php_java.jar | |
159 | +;java.home = /usr/lib/java | |
160 | +;java.library = /usr/lib/java/jre/lib/i386/libjava.so | |
161 | +java.library.path = /usr/lib/php | |
162 | ||
163 | [SQL] | |
164 | sql.safe_mode = Off | |
165 | @@ -685,6 +749,7 @@ | |
166 | pgsql.max_links = -1 | |
167 | ||
168 | ; Ignore PostgreSQL backends Notice message or not. | |
169 | +; Notice message logging require a little overheads. | |
170 | pgsql.ignore_notice = 0 | |
171 | ||
172 | ; Log PostgreSQL backends Noitce message or not. | |
173 | @@ -804,7 +869,9 @@ | |
174 | ; You can use the script in the ext/session dir for that purpose. | |
175 | ; NOTE 2: See the section on garbage collection below if you choose to | |
176 | ; use subdirectories for session storage | |
177 | -;session.save_path = /tmp | |
178 | +; NOTE 3: you may need to override this setting for cli or cgi SAPIs, | |
179 | +; to allow running them as user other than http | |
180 | +session.save_path = /var/run/php | |
181 | ||
182 | ; Whether to use cookies. | |
183 | session.use_cookies = 1 |