-diff -durN php-4.2.2.orig/php.ini php-4.2.2/php.ini
---- php-4.2.2.orig/php.ini Wed Aug 7 18:24:45 2002
-+++ php-4.2.2/php.ini Wed Aug 7 18:30:27 2002
-@@ -74,7 +74,7 @@
+--- php-5.2.8/php.ini-dist 2008-11-28 21:07:09.000000000 +0200
++++ php-5.2.8/php.ini 2009-01-05 14:53:55.914702890 +0200
+@@ -3,13 +3,18 @@
+ ;;;;;;;;;;;
+ ; WARNING ;
+ ;;;;;;;;;;;
+-; This is the default settings file for new PHP installations.
+-; By default, PHP installs itself with a configuration suitable for
+-; development purposes, and *NOT* for production purposes.
+-; For several security-oriented considerations that should be taken
+-; before going online with your site, please consult php.ini-recommended
+-; and http://php.net/manual/en/security.php.
+-
++; This is the default settings file for new PHP installations from
++; PLD Linux Distribution.
++; It's based mainly on php.ini-dist, but with some changes made with
++; security in mind (see below, consult also
++; http://php.net/manual/en/security.php).
++;
++; Please note, that in PLD installations /etc/php/php.ini file
++; contains global settings for all SAPIs (cgi, cli, apache...),
++; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
++; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
++; (so you don't have to duplicate whole large file to override only
++; few options)
+
+ ;;;;;;;;;;;;;;;;;;;
+ ; About php.ini ;
+@@ -59,10 +64,72 @@
+ ;;;;;;;;;;;;;;;;;;;
+ ; About this file ;
+ ;;;;;;;;;;;;;;;;;;;
+-; All the values in the php.ini-dist file correspond to the builtin
+-; defaults (that is, if no php.ini is used, or if you delete these lines,
+-; the builtin defaults will be identical).
++; If you use constants in your value, and these constants belong to a
++; dynamically loaded extension (either a PHP extension or a Zend extension),
++; you may only use these constants *after* the line that loads the extension.
++
+
++; Below is the list of settings changed from default as specified in
++; php.ini-recommended. These settings make PHP more secure and encourage
++; cleaner coding.
++; The price is that with these settings, PHP may be incompatible with some old
++; or bad-written applications, and sometimes, more difficult to develop with.
++; Using this settings is warmly recommended for production sites. As all of
++; the changes from the standard settings are thoroughly documented, you can
++; go over each one, and decide whether you want to use it or not.
++;
++; - register_globals = Off [Security, Performance]
++; Global variables are no longer registered for input data (POST, GET, cookies,
++; environment and other server variables). Instead of using $foo, you must use
++; you can use $_REQUEST["foo"] (includes any variable that arrives through the
++; request, namely, POST, GET and cookie variables), or use one of the specific
++; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
++; on where the input originates. Also, you can look at the
++; import_request_variables() function.
++; Note that register_globals = Off is the default setting since PHP 4.2.0.
++; - display_errors = Off [Security]
++; With this directive set to off, errors that occur during the execution of
++; scripts will no longer be displayed as a part of the script output, and thus,
++; will no longer be exposed to remote users. With some errors, the error message
++; content may expose information about your script, web server, or database
++; server that may be exploitable for hacking. Production sites should have this
++; directive set to off.
++; - log_errors = On [Security]
++; This directive complements the above one. Any errors that occur during the
++; execution of your script will be logged (typically, to your server's error log,
++; but can be configured in several ways). Along with setting display_errors to off,
++; this setup gives you the ability to fully understand what may have gone wrong,
++; without exposing any sensitive information to remote users.
++; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
++; By default, PHP surpresses errors of type E_NOTICE. These error messages
++; are emitted for non-critical errors, but that could be a symptom of a bigger
++; problem. Most notably, this will cause error messages about the use
++; of uninitialized variables to be displayed.
++; - register_argc_argv = Off [Performance]
++; Disables registration of the somewhat redundant $argv and $argc global
++; variables.
++; - magic_quotes_gpc = Off [Performance]
++; Input data is no longer escaped with slashes so that it can be sent into
++; SQL databases without further manipulation. Instead, you should use the
++; function addslashes() on each input element you wish to send to a database.
++; - variables_order = "GPCS" [Performance]
++; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
++; environment variables, you can use getenv() instead.
++
++; For completeness, below is list of the rest of changes recommended for
++; performance, but NOT applied in default php.ini in PLD (since they are
++; not needed for security or may cause problems with some applications
++; more likely than above).
++
++; - output_buffering = 4096 [Performance]
++; Set a 4KB output buffer. Enabling output buffering typically results in less
++; writes, and sometimes less packets sent on the wire, which can often lead to
++; better performance. The gain this directive actually yields greatly depends
++; on which Web server you're working with, and what kind of scripts you're using.
++; - allow_call_time_pass_reference = Off [Code cleanliness]
++; It's not possible to decide to force a variable to be passed by reference
++; when calling a function. The PHP 4 style to do this is by making the
++; function require the relevant argument by reference.
+
+ ;;;;;;;;;;;;;;;;;;;;
+ ; Language Options ;
+@@ -86,7 +153,7 @@
asp_tags = Off
; The number of significant digits displayed in floating point numbers.
+precision = 14
; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
- y2k_compliance = Off
-@@ -371,7 +371,7 @@
+ y2k_compliance = On
+@@ -245,7 +312,7 @@
+ ; (e.g. by adding its signature to the Web server header). It is no security
+ ; threat in any way, but it makes it possible to determine whether you use PHP
+ ; on your server or not.
+-expose_php = On
++expose_php = Off
+
+
+ ;;;;;;;;;;;;;;;;;;;
+@@ -302,7 +369,9 @@
+ ;
+ ; - Show all errors except for notices and coding standards warnings
+ ;
+-error_reporting = E_ALL & ~E_NOTICE
++;error_reporting = E_ALL & ~E_NOTICE
++
++error_reporting = E_ALL
+
+ ; Print out errors (as a part of the output). For production web sites,
+ ; you're strongly encouraged to turn this feature off, and use error logging
+@@ -319,7 +388,7 @@
+ ;
+ ; stdout (On) - Display errors to STDOUT
+ ;
+-display_errors = On
++display_errors = Off
+
+ ; Even when display_errors is on, errors that occur during PHP's startup
+ ; sequence are not displayed. It's strongly recommended to keep
+@@ -329,7 +398,7 @@
+ ; Log errors into a log file (server-specific log, stderr, or error_log (below))
+ ; As stated above, you're strongly advised to use error logging in place of
+ ; error displaying on production web sites.
+-log_errors = Off
++log_errors = On
+
+ ; Set maximum length of log_errors. In error_log information about the source is
+ ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+@@ -352,7 +421,7 @@
+ ;report_zend_debug = 0
+
+ ; Store the last error/warning message in $php_errormsg (boolean).
+-track_errors = Off
++track_errors = On
+
+ ; Turn off normal error reporting and emit XML-RPC error XML
+ ;xmlrpc_errors = 0
+@@ -361,7 +430,7 @@
+
+ ; Disable the inclusion of HTML tags in error messages.
+ ; Note: Never use this feature for production boxes.
+-;html_errors = Off
++html_errors = Off
+
+ ; If html_errors is set On PHP produces clickable error messages that direct
+ ; to a page describing the error or function causing the error in detail.
+@@ -405,7 +474,7 @@
+ ; Environment and Built-in variables (G, P, C, E & S respectively, often
+ ; referred to as EGPCS or GPC). Registration is done from left to right, newer
+ ; values override older values.
+-variables_order = "EGPCS"
++variables_order = "GPCS"
+
+ ; Whether or not to register the EGPCS variables as global variables. You may
+ ; want to turn this off if you don't want to clutter your scripts' global scope
+@@ -421,12 +490,12 @@
+ ; Whether or not to register the old-style input arrays, HTTP_GET_VARS
+ ; and friends. If you're not using them, it's recommended to turn them off,
+ ; for performance reasons.
+-register_long_arrays = On
++register_long_arrays = Off
+
+ ; This directive tells PHP whether to declare the argv&argc variables (that
+ ; would contain the GET information). If you don't use these variables, you
+ ; should turn it off for increased performance.
+-register_argc_argv = On
++register_argc_argv = Off
+
+ ; When enabled, the SERVER and ENV variables are created when they're first
+ ; used (Just In Time) instead of when the script starts. If these variables
+@@ -442,7 +511,7 @@
+ ;
+
+ ; Magic quotes for incoming GET/POST/Cookie data.
+-magic_quotes_gpc = On
++magic_quotes_gpc = Off
+
+ ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
+ magic_quotes_runtime = Off
+@@ -488,55 +557,13 @@
user_dir =
; Directory in which the loadable extensions (modules) reside.
--extension_dir = ./
-+extension_dir = /usr/lib/php
+-extension_dir = "./"
++extension_dir = "/usr/lib/php"
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -692,7 +692,7 @@
- ; Argument passed to save_handler. In the case of files, this is the path
- ; where data files are stored. Note: Windows users have to change this
- ; variable in order to use PHP's session functions.
--session.save_path = /tmp
-+session.save_path = /var/run/php
-
- ; Whether to use cookies.
- session.use_cookies = 1
+ ; disabled on them.
+ enable_dl = On
+
+-; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+-; most web servers. Left undefined, PHP turns this on by default. You can
+-; turn it off here AT YOUR OWN RISK
+-; **You CAN safely turn this off for IIS, in fact, you MUST.**
+-; cgi.force_redirect = 1
+-
+-; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+-; every request.
+-; cgi.nph = 1
+-
+-; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+-; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+-; will look for to know it is OK to continue execution. Setting this variable MAY
+-; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+-; cgi.redirect_status_env = ;
+-
+-; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+-; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+-; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+-; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting
+-; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+-; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+-; cgi.fix_pathinfo=0
+-
+-; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
+-; security tokens of the calling client. This allows IIS to define the
+-; security context that the request runs under. mod_fastcgi under Apache
+-; does not currently support this feature (03/17/2002)
+-; Set to 1 if running under IIS. Default is zero.
+-; fastcgi.impersonate = 1;
+-
+-; Disable logging through FastCGI connection
+-; fastcgi.logging = 0
+-
+-; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+-; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
+-; is supported by Apache. When this option is set to 1 PHP will send
+-; RFC2616 compliant header.
+-; Default is zero.
+-;cgi.rfc2616_headers = 0
+-
+-
+ ;;;;;;;;;;;;;;;;
+ ; File Uploads ;
+ ;;;;;;;;;;;;;;;;
+@@ -630,59 +630,6 @@
+ ; needs to go here. Specify the location of the extension with the
+ ; extension_dir directive above.
+
+-
+-; Windows Extensions
+-; Note that ODBC support is built in, so no dll is needed for it.
+-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
+-; extension folders as well as the separate PECL DLL download (PHP 5).
+-; Be sure to appropriately set the extension_dir directive.
+-
+-;extension=php_bz2.dll
+-;extension=php_curl.dll
+-;extension=php_dba.dll
+-;extension=php_dbase.dll
+-;extension=php_fdf.dll
+-;extension=php_gd2.dll
+-;extension=php_gettext.dll
+-;extension=php_gmp.dll
+-;extension=php_ifx.dll
+-;extension=php_imap.dll
+-;extension=php_interbase.dll
+-;extension=php_ldap.dll
+-;extension=php_mbstring.dll
+-;extension=php_exif.dll
+-;extension=php_mcrypt.dll
+-;extension=php_mhash.dll
+-;extension=php_mime_magic.dll
+-;extension=php_ming.dll
+-;extension=php_msql.dll
+-;extension=php_mssql.dll
+-;extension=php_mysql.dll
+-;extension=php_mysqli.dll
+-;extension=php_oci8.dll
+-;extension=php_openssl.dll
+-;extension=php_pdo.dll
+-;extension=php_pdo_firebird.dll
+-;extension=php_pdo_mssql.dll
+-;extension=php_pdo_mysql.dll
+-;extension=php_pdo_oci.dll
+-;extension=php_pdo_oci8.dll
+-;extension=php_pdo_odbc.dll
+-;extension=php_pdo_pgsql.dll
+-;extension=php_pdo_sqlite.dll
+-;extension=php_pgsql.dll
+-;extension=php_pspell.dll
+-;extension=php_shmop.dll
+-;extension=php_snmp.dll
+-;extension=php_soap.dll
+-;extension=php_sockets.dll
+-;extension=php_sqlite.dll
+-;extension=php_sybase_ct.dll
+-;extension=php_tidy.dll
+-;extension=php_xmlrpc.dll
+-;extension=php_xsl.dll
+-;extension=php_zip.dll
+-
+ ;;;;;;;;;;;;;;;;;;;
+ ; Module Settings ;
+ ;;;;;;;;;;;;;;;;;;;
+@@ -776,6 +750,9 @@
+ ; Maximum time (in seconds) for connect timeout. -1 means no limit
+ mysql.connect_timeout = 60
+
++; The name of the character set to use as the default character set.
++;mysql.connect_charset=utf8
++
+ ; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
+ ; SQL-Errors will be displayed.
+ mysql.trace_mode = Off
+@@ -795,6 +772,9 @@
+ ; MySQL defaults.
+ mysqli.default_socket =
+
++; The name of the character set to use as the default character set.
++;mysqli.connect_charset=utf8
++
+ ; Default host for mysql_connect() (doesn't apply in safe mode).
+ mysqli.default_host =
+
+@@ -811,6 +791,10 @@
+ ; Allow or prevent reconnect
+ mysqli.reconnect = Off
+
++[pdo_mysql]
++; The name of the character set to use as the default character set.
++;pdo_mysql.connect_charset=utf8
++
+ [mSQL]
+ ; Allow or prevent persistent links.
+ msql.allow_persistent = On
+@@ -920,7 +904,7 @@
+ bcmath.scale = 0
+
+ [browscap]
+-;browscap = extra/browscap.ini
++;browscap = /usr/share/browscap/php_browscap.ini
+
+ [Informix]
+ ; Default host for ifx_connect() (doesn't apply in safe mode).
+@@ -1273,7 +1257,7 @@
+ ; Enables or disables WSDL caching feature.
+ soap.wsdl_cache_enabled=1
+ ; Sets the directory name where SOAP extension will put cache files.
+-soap.wsdl_cache_dir="/tmp"
++soap.wsdl_cache_dir="/var/cache/php"
+ ; (time to live) Sets the number of second while cached file will be used
+ ; instead of original one.
+ soap.wsdl_cache_ttl=86400
projects / packages / php.git / blobdiff