1 --- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002
2 +++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003
7 -; This is the default settings file for new PHP installations.
8 -; By default, PHP installs itself with a configuration suitable for
9 -; development purposes, and *NOT* for production purposes.
10 -; For several security-oriented considerations that should be taken
11 -; before going online with your site, please consult php.ini-recommended
12 -; and http://php.net/manual/en/security.php.
13 +; This is the default settings file for new PHP installations from
14 +; PLD Linux Distribution.
15 +; It's based mainly on php.ini-dist, but with some changes made with
16 +; security in mind (see below, consult also
17 +; http://php.net/manual/en/security.php).
19 +; Please note, that in PLD installations, /etc/php4/php.ini file
20 +; contains GLOBAL settings for all SAPIs (cgi, cli, apache...),
21 +; and after reading this file, SAPI-specific file (/etc/php4/php-cgi.ini,
22 +; /etc/php4/php-cli.ini, /etc/php4/php-apache.ini...) is INCLUDED
23 +; (so you don't need to duplicate whole large file to override only
29 ; If you use constants in your value, and these constants belong to a
30 ; dynamically loaded extension (either a PHP extension or a Zend extension),
31 ; you may only use these constants *after* the line that loads the extension.
33 -; All the values in the php.ini-dist file correspond to the builtin
34 -; defaults (that is, if no php.ini is used, or if you delete these lines,
35 -; the builtin defaults will be identical).
38 +; Below is the list of settings changed from default as specified in
39 +; php.ini-recommended. These settings make PHP more secure and encourage
41 +; The price is that with these settings, PHP may be incompatible with some old
42 +; or bad-written applications, and sometimes, more difficult to develop with.
43 +; Using this settings is warmly recommended for production sites. As all of
44 +; the changes from the standard settings are thoroughly documented, you can
45 +; go over each one, and decide whether you want to use it or not.
47 +; - register_globals = Off [Security, Performance]
48 +; Global variables are no longer registered for input data (POST, GET, cookies,
49 +; environment and other server variables). Instead of using $foo, you must use
50 +; you can use $_REQUEST["foo"] (includes any variable that arrives through the
51 +; request, namely, POST, GET and cookie variables), or use one of the specific
52 +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
53 +; on where the input originates. Also, you can look at the
54 +; import_request_variables() function.
55 +; Note that register_globals = Off is the default setting since PHP 4.2.0.
56 +; - display_errors = Off [Security]
57 +; With this directive set to off, errors that occur during the execution of
58 +; scripts will no longer be displayed as a part of the script output, and thus,
59 +; will no longer be exposed to remote users. With some errors, the error message
60 +; content may expose information about your script, web server, or database
61 +; server that may be exploitable for hacking. Production sites should have this
62 +; directive set to off.
63 +; - log_errors = On [Security]
64 +; This directive complements the above one. Any errors that occur during the
65 +; execution of your script will be logged (typically, to your server's error log,
66 +; but can be configured in several ways). Along with setting display_errors to off,
67 +; this setup gives you the ability to fully understand what may have gone wrong,
68 +; without exposing any sensitive information to remote users.
69 +; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
70 +; By default, PHP surpresses errors of type E_NOTICE. These error messages
71 +; are emitted for non-critical errors, but that could be a symptom of a bigger
72 +; problem. Most notably, this will cause error messages about the use
73 +; of uninitialized variables to be displayed.
75 +; For completeness, below is list of the rest of changes recommended for
76 +; performance, but NOT applied in default php.ini in PLD (since they are
77 +; not needed for security or may cause problems with some applications
78 +; more likely than above).
80 +; - output_buffering = 4096 [Performance]
81 +; Set a 4KB output buffer. Enabling output buffering typically results in less
82 +; writes, and sometimes less packets sent on the wire, which can often lead to
83 +; better performance. The gain this directive actually yields greatly depends
84 +; on which Web server you're working with, and what kind of scripts you're using.
85 +; - register_argc_argv = Off [Performance]
86 +; Disables registration of the somewhat redundant $argv and $argc global
88 +; - magic_quotes_gpc = Off [Performance]
89 +; Input data is no longer escaped with slashes so that it can be sent into
90 +; SQL databases without further manipulation. Instead, you should use the
91 +; function addslashes() on each input element you wish to send to a database.
92 +; - variables_order = "GPCS" [Performance]
93 +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
94 +; environment variables, you can use getenv() instead.
95 +; - allow_call_time_pass_reference = Off [Code cleanliness]
96 +; It's not possible to decide to force a variable to be passed by reference
97 +; when calling a function. The PHP 4 style to do this is by making the
98 +; function require the relevant argument by reference.
106 ; The number of significant digits displayed in floating point numbers.
110 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
112 @@ -255,16 +319,16 @@
114 ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
116 -; - Show all errors except for notices
119 -error_reporting = E_ALL & ~E_NOTICE
120 +error_reporting = E_ALL
122 ; Print out errors (as a part of the output). For production web sites,
123 ; you're strongly encouraged to turn this feature off, and use error logging
124 ; instead (see below). Keeping display_errors enabled on a production web site
125 ; may reveal security information to end users, such as file paths on your Web
126 ; server, your database schema or other information.
128 +display_errors = Off
130 ; Even when display_errors is on, errors that occur during PHP's startup
131 ; sequence are not displayed. It's strongly recommended to keep
133 ; Log errors into a log file (server-specific log, stderr, or error_log (below))
134 ; As stated above, you're strongly advised to use error logging in place of
135 ; error displaying on production web sites.
139 ; Set maximum length of log_errors. In error_log information about the source is
140 ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
144 ; Directory in which the loadable extensions (modules) reside.
145 -extension_dir = "./"
146 +extension_dir = "/usr/lib/php4"
148 ; Whether or not to enable the dl() function. The dl() function does NOT work
149 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
150 @@ -587,10 +651,10 @@
154 -;java.class.path = .\php_java.jar
156 -;java.library = c:\jdk\jre\bin\hotspot\jvm.dll
157 -;java.library.path = .\
158 +java.class.path = /usr/lib/php4/php_java.jar
159 +;java.home = /usr/lib/java
160 +;java.library = /usr/lib/java/jre/lib/i386/libjava.so
161 +java.library.path = /usr/lib/php4
168 ; Ignore PostgreSQL backends Notice message or not.
169 +; Notice message logging require a little overheads.
170 pgsql.ignore_notice = 0
172 ; Log PostgreSQL backends Noitce message or not.
174 ; You can use the script in the ext/session dir for that purpose.
175 ; NOTE 2: See the section on garbage collection below if you choose to
176 ; use subdirectories for session storage
177 -;session.save_path = /tmp
178 +; NOTE 3: you may need to override this setting for cli or cgi SAPIs,
179 +; to allow running them as user other than http
180 +session.save_path = /var/run/php
182 ; Whether to use cookies.
183 session.use_cookies = 1
184 --- ./php.ini~ 2005-07-14 17:34:35.000000000 +0300
185 +++ ./php.ini 2005-07-14 20:14:13.000000000 +0300
187 ; needs to go here. Specify the location of the extension with the
188 ; extension_dir directive above.
192 -;Note that MySQL and ODBC support is now built in, so no dll is needed for it.
194 -;extension=php_mbstring.dll
195 -;extension=php_bz2.dll
196 -;extension=php_cpdf.dll
197 -;extension=php_crack.dll
198 -;extension=php_curl.dll
199 -;extension=php_db.dll
200 -;extension=php_dba.dll
201 -;extension=php_dbase.dll
202 -;extension=php_dbx.dll
203 -;extension=php_domxml.dll
204 -;extension=php_exif.dll
205 -;extension=php_fdf.dll
206 -;extension=php_filepro.dll
207 -;extension=php_gd2.dll
208 -;extension=php_gettext.dll
209 -;extension=php_hyperwave.dll
210 -;extension=php_iconv.dll
211 -;extension=php_ifx.dll
212 -;extension=php_iisfunc.dll
213 -;extension=php_imap.dll
214 -;extension=php_interbase.dll
215 -;extension=php_java.dll
216 -;extension=php_ldap.dll
217 -;extension=php_mcrypt.dll
218 -;extension=php_mhash.dll
219 -;extension=php_mime_magic.dll
220 -;extension=php_ming.dll
221 -;extension=php_mssql.dll
222 -;extension=php_msql.dll
223 -;extension=php_oci8.dll
224 -;extension=php_openssl.dll
225 -;extension=php_oracle.dll
226 -;extension=php_pdf.dll
227 -;extension=php_pgsql.dll
228 -;extension=php_printer.dll
229 -;extension=php_shmop.dll
230 -;extension=php_snmp.dll
231 -;extension=php_sockets.dll
232 -;extension=php_sybase_ct.dll
233 -;extension=php_w32api.dll
234 -;extension=php_xmlrpc.dll
235 -;extension=php_xslt.dll
236 -;extension=php_yaz.dll
237 -;extension=php_zip.dll
243 --- ./php.ini.old 2003-07-20 03:14:22.000000000 -0700
244 +++ ./php.ini 2003-07-20 03:14:51.000000000 -0700
248 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
249 -allow_url_fopen = On
250 +; allow_url_fopen = On
251 +; Closed for security - <glen@pld-linux.org>
252 +allow_url_fopen = Off
254 ; Define the anonymous ftp password (your email address)