1 diff -burN php-5.0.0b3/php.ini-dist php-5.0.0b3-php.ini/php.ini-dist
2 --- php-5.0.0b3/php.ini-dist 2003-12-18 03:06:00.000000000 +0100
3 +++ php-5.0.0b3-php.ini/php.ini 2003-12-27 00:29:41.000000000 +0100
8 -; This is the default settings file for new PHP installations.
9 -; By default, PHP installs itself with a configuration suitable for
10 -; development purposes, and *NOT* for production purposes.
11 -; For several security-oriented considerations that should be taken
12 -; before going online with your site, please consult php.ini-recommended
13 -; and http://php.net/manual/en/security.php.
15 +; This is the default settings file for new PHP installations from
16 +; PLD Linux Distribution.
17 +; It's based mainly on php.ini-dist, but with some changes made with
18 +; security in mind (see below, consult also
19 +; http://php.net/manual/en/security.php).
21 +; Please note, that in PLD installations /etc/php/php.ini file
22 +; contains global settings for all SAPIs (cgi, cli, apache...),
23 +; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
24 +; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
25 +; (so you don't have to duplicate whole large file to override only
31 ; If you use constants in your value, and these constants belong to a
32 ; dynamically loaded extension (either a PHP extension or a Zend extension),
33 ; you may only use these constants *after* the line that loads the extension.
35 -; All the values in the php.ini-dist file correspond to the builtin
36 -; defaults (that is, if no php.ini is used, or if you delete these lines,
37 -; the builtin defaults will be identical).
40 +; Below is the list of settings changed from default as specified in
41 +; php.ini-recommended. These settings make PHP more secure and encourage
43 +; The price is that with these settings, PHP may be incompatible with some old
44 +; or bad-written applications, and sometimes, more difficult to develop with.
45 +; Using this settings is warmly recommended for production sites. As all of
46 +; the changes from the standard settings are thoroughly documented, you can
47 +; go over each one, and decide whether you want to use it or not.
49 +; - register_globals = Off [Security, Performance]
50 +; Global variables are no longer registered for input data (POST, GET, cookies,
51 +; environment and other server variables). Instead of using $foo, you must use
52 +; you can use $_REQUEST["foo"] (includes any variable that arrives through the
53 +; request, namely, POST, GET and cookie variables), or use one of the specific
54 +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
55 +; on where the input originates. Also, you can look at the
56 +; import_request_variables() function.
57 +; Note that register_globals = Off is the default setting since PHP 4.2.0.
58 +; - display_errors = Off [Security]
59 +; With this directive set to off, errors that occur during the execution of
60 +; scripts will no longer be displayed as a part of the script output, and thus,
61 +; will no longer be exposed to remote users. With some errors, the error message
62 +; content may expose information about your script, web server, or database
63 +; server that may be exploitable for hacking. Production sites should have this
64 +; directive set to off.
65 +; - log_errors = On [Security]
66 +; This directive complements the above one. Any errors that occur during the
67 +; execution of your script will be logged (typically, to your server's error log,
68 +; but can be configured in several ways). Along with setting display_errors to off,
69 +; this setup gives you the ability to fully understand what may have gone wrong,
70 +; without exposing any sensitive information to remote users.
71 +; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
72 +; By default, PHP surpresses errors of type E_NOTICE. These error messages
73 +; are emitted for non-critical errors, but that could be a symptom of a bigger
74 +; problem. Most notably, this will cause error messages about the use
75 +; of uninitialized variables to be displayed.
77 +; For completeness, below is list of the rest of changes recommended for
78 +; performance, but NOT applied in default php.ini in PLD (since they are
79 +; not needed for security or may cause problems with some applications
80 +; more likely than above).
82 +; - output_buffering = 4096 [Performance]
83 +; Set a 4KB output buffer. Enabling output buffering typically results in less
84 +; writes, and sometimes less packets sent on the wire, which can often lead to
85 +; better performance. The gain this directive actually yields greatly depends
86 +; on which Web server you're working with, and what kind of scripts you're using.
87 +; - register_argc_argv = Off [Performance]
88 +; Disables registration of the somewhat redundant $argv and $argc global
90 +; - magic_quotes_gpc = Off [Performance]
91 +; Input data is no longer escaped with slashes so that it can be sent into
92 +; SQL databases without further manipulation. Instead, you should use the
93 +; function addslashes() on each input element you wish to send to a database.
94 +; - variables_order = "GPCS" [Performance]
95 +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
96 +; environment variables, you can use getenv() instead.
97 +; - allow_call_time_pass_reference = Off [Code cleanliness]
98 +; It's not possible to decide to force a variable to be passed by reference
99 +; when calling a function. The PHP 4 style to do this is by making the
100 +; function require the relevant argument by reference.
107 ; The number of significant digits displayed in floating point numbers.
111 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
113 @@ -270,14 +334,14 @@
115 ; - Show all errors except for notices and coding standards warnings
117 -error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
118 +error_reporting = E_ALL
120 ; Print out errors (as a part of the output). For production web sites,
121 ; you're strongly encouraged to turn this feature off, and use error logging
122 ; instead (see below). Keeping display_errors enabled on a production web site
123 ; may reveal security information to end users, such as file paths on your Web
124 ; server, your database schema or other information.
126 +display_errors = Off
128 ; Even when display_errors is on, errors that occur during PHP's startup
129 ; sequence are not displayed. It's strongly recommended to keep
133 ; Directory in which the loadable extensions (modules) reside.
134 -extension_dir = "./"
135 +extension_dir = "/usr/lib/php"
137 ; Whether or not to enable the dl() function. The dl() function does NOT work
138 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically