]>
Commit | Line | Data |
---|---|---|
02fef579 | 1 | diff -burN php-5.0.0b3/php.ini-dist php-5.0.0b3-php.ini/php.ini-dist |
2 | --- php-5.0.0b3/php.ini-dist 2003-12-18 03:06:00.000000000 +0100 | |
3 | +++ php-5.0.0b3-php.ini/php.ini 2003-12-27 00:29:41.000000000 +0100 | |
4 | @@ -3,13 +3,18 @@ | |
4342041a JB |
5 | ;;;;;;;;;;; |
6 | ; WARNING ; | |
7 | ;;;;;;;;;;; | |
8 | -; This is the default settings file for new PHP installations. | |
9 | -; By default, PHP installs itself with a configuration suitable for | |
10 | -; development purposes, and *NOT* for production purposes. | |
11 | -; For several security-oriented considerations that should be taken | |
12 | -; before going online with your site, please consult php.ini-recommended | |
13 | -; and http://php.net/manual/en/security.php. | |
02fef579 | 14 | - |
4342041a JB |
15 | +; This is the default settings file for new PHP installations from |
16 | +; PLD Linux Distribution. | |
17 | +; It's based mainly on php.ini-dist, but with some changes made with | |
18 | +; security in mind (see below, consult also | |
19 | +; http://php.net/manual/en/security.php). | |
20 | +; | |
02fef579 | 21 | +; Please note, that in PLD installations /etc/php/php.ini file |
22 | +; contains global settings for all SAPIs (cgi, cli, apache...), | |
4342041a JB |
23 | +; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini, |
24 | +; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED | |
02fef579 | 25 | +; (so you don't have to duplicate whole large file to override only |
26 | +; few options) | |
4342041a JB |
27 | |
28 | ;;;;;;;;;;;;;;;;;;; | |
02fef579 | 29 | ; About this file ; |
30 | @@ -54,10 +59,69 @@ | |
4342041a JB |
31 | ; If you use constants in your value, and these constants belong to a |
32 | ; dynamically loaded extension (either a PHP extension or a Zend extension), | |
33 | ; you may only use these constants *after* the line that loads the extension. | |
34 | -; | |
35 | -; All the values in the php.ini-dist file correspond to the builtin | |
36 | -; defaults (that is, if no php.ini is used, or if you delete these lines, | |
37 | -; the builtin defaults will be identical). | |
02fef579 | 38 | + |
39 | + | |
4342041a JB |
40 | +; Below is the list of settings changed from default as specified in |
41 | +; php.ini-recommended. These settings make PHP more secure and encourage | |
42 | +; cleaner coding. | |
43 | +; The price is that with these settings, PHP may be incompatible with some old | |
44 | +; or bad-written applications, and sometimes, more difficult to develop with. | |
45 | +; Using this settings is warmly recommended for production sites. As all of | |
46 | +; the changes from the standard settings are thoroughly documented, you can | |
47 | +; go over each one, and decide whether you want to use it or not. | |
48 | +; | |
49 | +; - register_globals = Off [Security, Performance] | |
50 | +; Global variables are no longer registered for input data (POST, GET, cookies, | |
51 | +; environment and other server variables). Instead of using $foo, you must use | |
52 | +; you can use $_REQUEST["foo"] (includes any variable that arrives through the | |
53 | +; request, namely, POST, GET and cookie variables), or use one of the specific | |
54 | +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending | |
55 | +; on where the input originates. Also, you can look at the | |
56 | +; import_request_variables() function. | |
57 | +; Note that register_globals = Off is the default setting since PHP 4.2.0. | |
58 | +; - display_errors = Off [Security] | |
59 | +; With this directive set to off, errors that occur during the execution of | |
60 | +; scripts will no longer be displayed as a part of the script output, and thus, | |
61 | +; will no longer be exposed to remote users. With some errors, the error message | |
62 | +; content may expose information about your script, web server, or database | |
63 | +; server that may be exploitable for hacking. Production sites should have this | |
64 | +; directive set to off. | |
65 | +; - log_errors = On [Security] | |
66 | +; This directive complements the above one. Any errors that occur during the | |
67 | +; execution of your script will be logged (typically, to your server's error log, | |
68 | +; but can be configured in several ways). Along with setting display_errors to off, | |
69 | +; this setup gives you the ability to fully understand what may have gone wrong, | |
70 | +; without exposing any sensitive information to remote users. | |
71 | +; - error_reporting = E_ALL [Code Cleanliness, Security(?)] | |
72 | +; By default, PHP surpresses errors of type E_NOTICE. These error messages | |
73 | +; are emitted for non-critical errors, but that could be a symptom of a bigger | |
74 | +; problem. Most notably, this will cause error messages about the use | |
75 | +; of uninitialized variables to be displayed. | |
76 | + | |
77 | +; For completeness, below is list of the rest of changes recommended for | |
78 | +; performance, but NOT applied in default php.ini in PLD (since they are | |
79 | +; not needed for security or may cause problems with some applications | |
80 | +; more likely than above). | |
81 | + | |
82 | +; - output_buffering = 4096 [Performance] | |
83 | +; Set a 4KB output buffer. Enabling output buffering typically results in less | |
84 | +; writes, and sometimes less packets sent on the wire, which can often lead to | |
85 | +; better performance. The gain this directive actually yields greatly depends | |
86 | +; on which Web server you're working with, and what kind of scripts you're using. | |
87 | +; - register_argc_argv = Off [Performance] | |
88 | +; Disables registration of the somewhat redundant $argv and $argc global | |
89 | +; variables. | |
90 | +; - magic_quotes_gpc = Off [Performance] | |
91 | +; Input data is no longer escaped with slashes so that it can be sent into | |
92 | +; SQL databases without further manipulation. Instead, you should use the | |
93 | +; function addslashes() on each input element you wish to send to a database. | |
94 | +; - variables_order = "GPCS" [Performance] | |
95 | +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access | |
96 | +; environment variables, you can use getenv() instead. | |
97 | +; - allow_call_time_pass_reference = Off [Code cleanliness] | |
98 | +; It's not possible to decide to force a variable to be passed by reference | |
99 | +; when calling a function. The PHP 4 style to do this is by making the | |
100 | +; function require the relevant argument by reference. | |
02fef579 | 101 | |
102 | ||
4342041a JB |
103 | ;;;;;;;;;;;;;;;;;;;; |
104 | @@ -79,7 +143,7 @@ | |
9fab2fdf JK |
105 | asp_tags = Off |
106 | ||
107 | ; The number of significant digits displayed in floating point numbers. | |
cc1337ae JK |
108 | -precision = 12 |
109 | +precision = 14 | |
9fab2fdf JK |
110 | |
111 | ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) | |
4342041a | 112 | y2k_compliance = On |
02fef579 | 113 | @@ -270,14 +334,14 @@ |
4342041a | 114 | ; |
02fef579 | 115 | ; - Show all errors except for notices and coding standards warnings |
4342041a | 116 | ; |
02fef579 | 117 | -error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT |
4342041a JB |
118 | +error_reporting = E_ALL |
119 | ||
120 | ; Print out errors (as a part of the output). For production web sites, | |
121 | ; you're strongly encouraged to turn this feature off, and use error logging | |
122 | ; instead (see below). Keeping display_errors enabled on a production web site | |
123 | ; may reveal security information to end users, such as file paths on your Web | |
124 | ; server, your database schema or other information. | |
125 | -display_errors = On | |
126 | +display_errors = Off | |
127 | ||
128 | ; Even when display_errors is on, errors that occur during PHP's startup | |
129 | ; sequence are not displayed. It's strongly recommended to keep | |
02fef579 | 130 | @@ -435,7 +499,7 @@ |
78b7386f GS |
131 | user_dir = |
132 | ||
133 | ; Directory in which the loadable extensions (modules) reside. | |
a224c566 AG |
134 | -extension_dir = "./" |
135 | +extension_dir = "/usr/lib/php" | |
78b7386f GS |
136 | |
137 | ; Whether or not to enable the dl() function. The dl() function does NOT work | |
138 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically |