]>
Commit | Line | Data |
---|---|---|
21f7df16 JB |
1 | --- php-5.0.1.org/php.ini 2004-08-13 13:28:45.800911928 +0200 |
2 | +++ php-5.0.1/php.ini 2004-08-13 13:31:28.844125592 +0200 | |
917119c9 | 3 | @@ -3,13 +3,18 @@ |
4342041a JB |
4 | ;;;;;;;;;;; |
5 | ; WARNING ; | |
6 | ;;;;;;;;;;; | |
7 | -; This is the default settings file for new PHP installations. | |
8 | -; By default, PHP installs itself with a configuration suitable for | |
9 | -; development purposes, and *NOT* for production purposes. | |
10 | -; For several security-oriented considerations that should be taken | |
11 | -; before going online with your site, please consult php.ini-recommended | |
12 | -; and http://php.net/manual/en/security.php. | |
917119c9 | 13 | - |
4342041a JB |
14 | +; This is the default settings file for new PHP installations from |
15 | +; PLD Linux Distribution. | |
16 | +; It's based mainly on php.ini-dist, but with some changes made with | |
17 | +; security in mind (see below, consult also | |
18 | +; http://php.net/manual/en/security.php). | |
19 | +; | |
917119c9 AM |
20 | +; Please note, that in PLD installations /etc/php/php.ini file |
21 | +; contains global settings for all SAPIs (cgi, cli, apache...), | |
4342041a JB |
22 | +; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini, |
23 | +; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED | |
917119c9 AM |
24 | +; (so you don't have to duplicate whole large file to override only |
25 | +; few options) | |
4342041a | 26 | |
a00e0eb8 AM |
27 | ;;;;;;;;;;;;;;;;;;; |
28 | ; About php.ini ; | |
29 | @@ -59,10 +64,72 @@ | |
4342041a | 30 | ;;;;;;;;;;;;;;;;;;; |
917119c9 | 31 | ; About this file ; |
a00e0eb8 | 32 | ;;;;;;;;;;;;;;;;;;; |
4342041a JB |
33 | -; All the values in the php.ini-dist file correspond to the builtin |
34 | -; defaults (that is, if no php.ini is used, or if you delete these lines, | |
35 | -; the builtin defaults will be identical). | |
a00e0eb8 AM |
36 | - |
37 | +; If you use constants in your value, and these constants belong to a | |
38 | +; dynamically loaded extension (either a PHP extension or a Zend extension), | |
39 | +; you may only use these constants *after* the line that loads the extension. | |
ff83cd8b JB |
40 | + |
41 | + | |
4342041a JB |
42 | +; Below is the list of settings changed from default as specified in |
43 | +; php.ini-recommended. These settings make PHP more secure and encourage | |
44 | +; cleaner coding. | |
45 | +; The price is that with these settings, PHP may be incompatible with some old | |
46 | +; or bad-written applications, and sometimes, more difficult to develop with. | |
47 | +; Using this settings is warmly recommended for production sites. As all of | |
48 | +; the changes from the standard settings are thoroughly documented, you can | |
49 | +; go over each one, and decide whether you want to use it or not. | |
50 | +; | |
51 | +; - register_globals = Off [Security, Performance] | |
52 | +; Global variables are no longer registered for input data (POST, GET, cookies, | |
53 | +; environment and other server variables). Instead of using $foo, you must use | |
54 | +; you can use $_REQUEST["foo"] (includes any variable that arrives through the | |
55 | +; request, namely, POST, GET and cookie variables), or use one of the specific | |
56 | +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending | |
57 | +; on where the input originates. Also, you can look at the | |
58 | +; import_request_variables() function. | |
59 | +; Note that register_globals = Off is the default setting since PHP 4.2.0. | |
60 | +; - display_errors = Off [Security] | |
61 | +; With this directive set to off, errors that occur during the execution of | |
62 | +; scripts will no longer be displayed as a part of the script output, and thus, | |
63 | +; will no longer be exposed to remote users. With some errors, the error message | |
64 | +; content may expose information about your script, web server, or database | |
65 | +; server that may be exploitable for hacking. Production sites should have this | |
66 | +; directive set to off. | |
67 | +; - log_errors = On [Security] | |
68 | +; This directive complements the above one. Any errors that occur during the | |
69 | +; execution of your script will be logged (typically, to your server's error log, | |
70 | +; but can be configured in several ways). Along with setting display_errors to off, | |
71 | +; this setup gives you the ability to fully understand what may have gone wrong, | |
72 | +; without exposing any sensitive information to remote users. | |
73 | +; - error_reporting = E_ALL [Code Cleanliness, Security(?)] | |
74 | +; By default, PHP surpresses errors of type E_NOTICE. These error messages | |
75 | +; are emitted for non-critical errors, but that could be a symptom of a bigger | |
76 | +; problem. Most notably, this will cause error messages about the use | |
77 | +; of uninitialized variables to be displayed. | |
78 | + | |
79 | +; For completeness, below is list of the rest of changes recommended for | |
80 | +; performance, but NOT applied in default php.ini in PLD (since they are | |
81 | +; not needed for security or may cause problems with some applications | |
82 | +; more likely than above). | |
ff83cd8b | 83 | + |
4342041a JB |
84 | +; - output_buffering = 4096 [Performance] |
85 | +; Set a 4KB output buffer. Enabling output buffering typically results in less | |
86 | +; writes, and sometimes less packets sent on the wire, which can often lead to | |
87 | +; better performance. The gain this directive actually yields greatly depends | |
88 | +; on which Web server you're working with, and what kind of scripts you're using. | |
89 | +; - register_argc_argv = Off [Performance] | |
90 | +; Disables registration of the somewhat redundant $argv and $argc global | |
91 | +; variables. | |
92 | +; - magic_quotes_gpc = Off [Performance] | |
93 | +; Input data is no longer escaped with slashes so that it can be sent into | |
94 | +; SQL databases without further manipulation. Instead, you should use the | |
95 | +; function addslashes() on each input element you wish to send to a database. | |
96 | +; - variables_order = "GPCS" [Performance] | |
97 | +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access | |
98 | +; environment variables, you can use getenv() instead. | |
99 | +; - allow_call_time_pass_reference = Off [Code cleanliness] | |
100 | +; It's not possible to decide to force a variable to be passed by reference | |
101 | +; when calling a function. The PHP 4 style to do this is by making the | |
102 | +; function require the relevant argument by reference. | |
917119c9 | 103 | |
4342041a | 104 | ;;;;;;;;;;;;;;;;;;;; |
a00e0eb8 AM |
105 | ; Language Options ; |
106 | @@ -86,7 +153,7 @@ | |
9fab2fdf JK |
107 | asp_tags = Off |
108 | ||
109 | ; The number of significant digits displayed in floating point numbers. | |
cc1337ae JK |
110 | -precision = 12 |
111 | +precision = 14 | |
9fab2fdf JK |
112 | |
113 | ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) | |
4342041a | 114 | y2k_compliance = On |
a00e0eb8 | 115 | @@ -285,14 +352,14 @@ |
4342041a | 116 | ; |
46f956a8 JB |
117 | -; - Show all errors except for notices and coding standards warnings |
118 | +; - Show all errors | |
0ced536a | 119 | ; |
917119c9 | 120 | -error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT |
4342041a JB |
121 | +error_reporting = E_ALL |
122 | ||
123 | ; Print out errors (as a part of the output). For production web sites, | |
124 | ; you're strongly encouraged to turn this feature off, and use error logging | |
125 | ; instead (see below). Keeping display_errors enabled on a production web site | |
126 | ; may reveal security information to end users, such as file paths on your Web | |
127 | ; server, your database schema or other information. | |
128 | -display_errors = On | |
129 | +display_errors = Off | |
130 | ||
131 | ; Even when display_errors is on, errors that occur during PHP's startup | |
132 | ; sequence are not displayed. It's strongly recommended to keep | |
a00e0eb8 | 133 | @@ -447,7 +514,7 @@ |
78b7386f GS |
134 | user_dir = |
135 | ||
136 | ; Directory in which the loadable extensions (modules) reside. | |
a224c566 AG |
137 | -extension_dir = "./" |
138 | +extension_dir = "/usr/lib/php" | |
78b7386f GS |
139 | |
140 | ; Whether or not to enable the dl() function. The dl() function does NOT work | |
141 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically | |
2f814ad2 ER |
142 | --- php-5.0.4/php.ini~ 2005-06-19 19:19:01.000000000 +0300 |
143 | +++ php-5.0.4/php.ini 2005-06-19 19:19:21.000000000 +0300 | |
144 | @@ -369,7 +369,7 @@ | |
145 | ; Log errors into a log file (server-specific log, stderr, or error_log (below)) | |
146 | ; As stated above, you're strongly advised to use error logging in place of | |
147 | ; error displaying on production web sites. | |
148 | -log_errors = Off | |
149 | +log_errors = On | |
150 | ||
151 | ; Set maximum length of log_errors. In error_log information about the source is | |
152 | ; added. The default is 1024 and 0 allows to not apply any maximum length at all. |