PHP.ini configuration file

Source: Internet
Author: User

Tags: sqli personal not request Jingwei Recycle Error date PHP function

PHP.ini configuration file:

Make the PHP scripting language engine valid under Apache. PHP files cannot be parsed after setting Engine=off.

Set <? Whether the code?> flag can be identified. Short_open_tag=off cannot be recognized after setting the <? Codes in Code?>

Asp_tags = OFF;
Sets whether the <% code%> flag can be identified. Set Asp_tags==off, not recognized after.

precision = 14;
Sets the number of display digits for floating-point type data, including before the decimal point. This means a total of 14 bits are displayed.

Y2k_compliance = OFF;
Sets whether to turn on 2000 adaptation. Enhanced compatibility.

output_buffering = OFF;
The output order of the open cache is:
Echo,print--->php output_buffering--->server buffering--->brower buffering--->display
Cache order is not turned on:
Echo,print--->server buffering---> Brower buffering--->display
The browser will output data to the page only if the output data reaches the browser output cache length or when the script ends


for ($i ==0; $i <5; $i + +)
echo $i. '----------';
Flush ();
Sleep (1);
Note: Set output_buffering = Off and the output of the program is intermittent.

When output_buffering = Off is set, i.e. no output_buffering is set, the header () and the cookie
Settings must be in front of ECHO, print. When there is a buffer place can be placed in the back, when must be in the browser flush ()
Call header () before data is once

Set output_buffering = Off;

for ($i ==0; $i <5; $i + +)
echo $i. '----------';

Header ("Content-type:text/html;charset:utf-8");
Results:----------1----------2----------3----------4----------warning:cannot Modify
Header information-headers already sent by (output started at
/var/www/html/test.php:5) in/var/www/html/test.php on line 8

Output_handler= "Ob_get_length"
The default is null, whose value can only be set to a built-in function name, which is the function of all output of the script, with the defined letter
Number to be processed.


Zlib.output_compression_level = 5
The zlib.output_compression=on is used to set whether zlib output compression is turned on. After setting it will be compressed into gzip format,
The accept-encoding in the request header becomes Gzip.
Zlib.output_compression_level = 5 is used to set the compression level.

Same as Output_handler.

Forces the output layer to automatically refresh its own data after each output block. is equivalent to calling flush () after each echo, print

This directive allows you to control when a request responds with a unserializer instantiation of an undefined class. For most users,
This instruction is irrelevant because PHP has output a warning in this case if the PHP error report is adjusted
To the right level.

The precision (number of significant digits) when storing floating-point and double-precision data in a serialized format. The default value ensures that floating-point data is solved
Data is not lost when the program is decoded.

Sets whether to open forces by reference to pass arguments to the function. This method has not been approved and in the future version of Php/zend is very
May no longer be supported. The encouraged method is to specify in the function definition which parameters should be passed by reference.
Passing parameters by reference when the function is invoked is not recommended because it affects the cleanliness of the code. If the parameters of the function are not
A declaration is passed as a reference, and the function can modify its parameters through a method that is not written to the document. To avoid side effects, it is best to
A number declaration specifies that the parameter needs to be passed by reference.


$num = 10;
Prinum (& $num);
Echo $num;

function Prinum ($num)
echo $num + +;
Echo ' <br> ';
In Allow_call_time_pass_reference =on can be performed normally;
Allove_call_time_pass_referencee=off will be reported emits an e_deprecated level error error


After opening, it will mainly affect the system operation, file, permission settings and other methods.
Specific reference:

By default, Safe mode does a UID comparison check when the file is opened. If you want to loosen it to a GID comparison, open the
Safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) to check for file access.

When this directory and its subdirectories (directories must be contained in include_path or with full paths) contain files that are crossed
Uid/gid check. That is, the directories in this path can be checked over uid/gid.
The limit is actually a prefix, not a directory name. This means "Safe_mode_include_dir =
/dir/incl "will allow access to"/dir/include "and"/dir/incls "if they exist. If you wish to visit
Ask for control in a specified directory, then add a slash at the end, for example: "Safe_mode_include_dir =

If PHP uses safe mode, System () and other program execution functions will refuse to start programs that are not in this directory. Will
Must be used/as a directory separator, including in Windows.
So if you want to start the program in PHP, you have to put it in this directory.

Setting certain environment variables can be a potential security breach. This directive contains a comma-delimited list of prefixes. In Safe mode
, the user can only change the environment variables whose names have the prefixes provided here. By default, users can only set the
PHP_ the environment variables (for example, Php_foo = BAR) that begin with.
If this instruction is empty, PHP will allow the user to modify any environment variables!

This directive contains a comma-delimited list of environment variables that the end user cannot use to change these environment variables (PUTENV)
。 These variables cannot be changed even when the Safe_mode_allowed_env_vars is set to allow modification.

The environment variable can be seen in the environment of the Phpinfo page, and the environment variable value can be obtained by getenv () in the PHP page.

Restricts user-actionable files to a directory.

ReadFile ("/var/www/html/a.txt");
Read data normally when Open_basedir is not set, when Open_basedir=/var/www/html/file_upload is set
There is an error Warning:Unknown:open_basedir restriction in effect. File
(/var/www/html/test.php) is not within the allowed path (s):
(/var/www/html/file_upload) in Unknown on line 0 Warning:Unknown:failed to open
Stream:operation not permitted in Unknown on line 0 Fatal error:Unknown:Failed
Opening required '/var/www/html/test.php '
(include_path= '.:/ Usr/share/pear:/usr/share/php ') in Unknown on line 0


The directive accepts a comma-delimited list of function names to disable a specific function.

When you set disable_function=getenv
Echo getenv ("PATH");
Warning:getenv () have been disabled for security reasons in/var/www/html/test.php on
Line 2


The directive accepts a comma-delimited list of class names to disable a particular class. Same as Disable_function.

PHP functions can be used to highlight_string () use this color as defined in PHP, print output or return output or
Back to the syntax of the highlighted version of the PHP code.

Enabling this parameter causes the server to ignore session termination caused by interrupts caused by the user or browser, which means that the page ends
When you exit or close the browser before loading, the server will continue to process and will not assume that your side has been terminated. this to
It is very useful to update important personal information or to submit a business transaction.

Realpath_cache_ttl = 120
REALPATH_CACHE_SIZE Specifies the cache size of the cache include () file. Realpath_cache_ttl Cache Expiration Time

Sets whether to display PHP information at the head of the page. To prevent hackers from getting the PHP version of the server, you can close the information
Ramp in HTTP header: Expose_php=off

Sets the maximum number of execution seconds per script. Sometimes it takes a lot of time to get things done, like sending lots of emails to
A large number of the recipient, or for heavy data analysis work, the server will forcibly abort the executing program after 30 seconds,
You can then modify the configuration parameters with the Ini_set () function, such as: Ini_set ("Max_execution_time", 1)
Note: Ini_set () function can set a lot of configuration parameters, specific reference

Sets the maximum limit time each script can use to parse request data. can also be set by Ini_set ().

Sets the maximum nesting depth for an input variable.
Max_input_nesting_level only allows/index.php?a=a&b=b; when the value is 0
Allow/index.php?a=a&b=b,/index.php?a[a]=aa&a[b]=ab; when the value of Max_input_nesting_level is 1

test.php file
Echo ' <pre> ';
Print_r ($_get);
Echo ' </pre> ';
When setting max_input_nesting_level=1, Access Http://[0][0]=aa&a
[1] [0]=DD results are:
When setting max_input_nesting_level=2, Access Http://[0][0]=aa&a
[1] [0]=DD results are:
[a] = = Array
[0] = = Array
[0] = = AA

[1] = = Array
[0] = DD




The maximum number of bytes of memory that a script can request (using K and M as units). Helps prevent poor script consumption
All memory on the server. If you want to cancel the memory limit, you must set it to-1. Once the directive has been set,
The Memory_get_usage () function becomes available.

Sets the error reporting level.

Error echo, common term development mode, but many applications in the formal environment also forgot to turn off this option. Error Echo can
To expose a lot of sensitive information to facilitate attackers ' next attack. It is recommended to turn this option off. Off state, if
An error occurred, prompting: server error. However, you will not be prompted for errors.
Note: Display_errors=off failure

Set the error display at PHP startup, such as: There is a manual error in the configuration file causing syntax errors/loading module version mismatch, etc.

Log_errors= "/var/www/html/php_error_log"
Use it in a formal environment and record the error message in the log. The file must be writable to the Web server user.

Sets the length of the log message instead of setting the size of the log file.

Sets whether to repeat the same error message in the same row.

Set whether to repeatedly display errors from the same file's peer code

Sets whether to report a memory leak. This parameter only works in PHP that is compiled in debug mode, and must be
The error_reporting directive contains e_warning

Report_zend_debug = On
No documentation is documented.

Sets whether to save the most recent error or warning message in the variable $php_errormsg.

Whether to use HTML tags in the error message.

docref_root= "/phpmanual"
docref_ext= ". html"
If the html_errors instruction is turned on, PHP will display the hyperlink on the error message and link directly to a description of the error
or the page of the function that caused the error. You can download the PHP manual from and
The Docref_root directive points to the URL directory where your local manual is located. You must also set the DOCREF_EXT directive to specify the file's
The extension (must contain ".").

Error_prepend_string "<font color= #ff0000 >"
The string to output before setting the error message.

error_append_string = "</font>"
The string to output after setting the error message.

Arg_separator.output = "&"
The delimiter used to separate parameters in the URL generated by PHP.
arg_separator.input= "&;&"
A list of separators to use when PHP resolves variables in the URL.

Variables_order= "Egpcs"
PHP registers the order of environment, GET, POST, Cookie, and Server variables. denoted by E, G, P, C, S, respectively
, the new value overrides the old value by registering from left to right. Set to "GP" will cause the post variable to overwrite the get variable with the same name.

Request_order= "GP"
$_request The value of this super global variable is affected by the Request_order in PHP.ini, in the latest php5.3.x series,
Request_order default is GP, which means that $_request only contains $_get and $_post in the default configuration and does not include
$_cookie. The Globals variable can be submitted via a cookie. This bypasses the global variable defenses in most open source programs.
So change the secondary option to Request_order = "CGP"

Sets whether the E, G, P, C, S variables are registered as global variables.

Sets whether old-style long arrays (http_*_vars) are enabled.

Sets whether to declare $ARGV and $ARGC global variables (containing information using the Get method).

Auto_globals_jit = On
is created only when using the $_server and $_env variables (not automatically when the script is started).
If these two arrays are not used in the script, opening the instruction will gain performance gains.
The register_globals and Register_long_arrays directives must be turned off in order for the directive to take effect.

Post_max_size = 8M
Maximum byte length allowed for post data. This setting also affects file uploads. If the POST data exceeds the limit, then $_post
And $_files will be empty. To upload a large file, the value must be greater than the value of the upload_max_filesize instruction. If you enable the
Memory limit, the value should be less than the value of the MEMORY_LIMIT directive.

Whether to use automatic string escape for input Get/post/cookie data (' ' "NULL). The settings here will automatically
The value that affects the $_gest $_post $_cookie array. If you open this directive with the Magic_quotes_sybase command simultaneously, the
Only the single quotation mark (' ') is escaped to (' '), and the other special characters are not escaped, i.e. ("NULL") will remain intact.

Magic_quotes_runtime = Off
Whether to use automatic string escaping (' ' "NULL) for data generated from external resources at run time.
If you open this directive, most functions will be escaped from external resources (databases, text files, etc.).

Magic_quotes_sybase = Off
Whether to use automatic string escaping in Sybase form (denoted by "")

Auto_prepend_file =
Auto_append_file =
Specifies the file name that is automatically parsed before/after the main file. An empty representation disables the attribute.
The file is included in the same way that the include () function is called, so the value of the include_path instruction is used.

Default_mimetype = "Text/html"
;d efault_charset = "Iso-8859-1"
Auto Output "content-type:text/html; Charset=iso-8859-1 ".

Whether the $http_raw_post_data variable is always generated (raw POST data).

Include_path= ".:/ Php/includes "
Specifies a set of directories for require (), include (), Fopen_with_path () functions to find files.

The "root directory" of PHP. Valid only when not empty.
If safe_mode=on, files outside this directory are rejected.

User_dir =
Tell PHP which directory to look for when opening a script with/~username, only valid when not empty. That is, in the user directory
The base directory name of the PHP file under use.

Extension_dir= "./"
The directory that holds the extension library (module), which is the directory that PHP uses to find the dynamic expansion module.

Whether to allow the use of the DL () function. The DL () function is only valid if PHP is installed as an Apache module.
Disabling the DL () function is primarily for security reasons because it bypasses the limits of the OPEN_BASEDIR directive.
The DL () function is always disabled in safe mode, regardless of how it is set here.

Whether to force the "status:200" status code to be sent for all requests in CGI mode.

Fastcgi.impersonate = Off
FastCGI in IIS supports the ability to mimic client security tokens. This enables IIS to define the security of the request on which the runtime is based
Context. mod_fastcgi in Apache does not support this feature (03/17/2002) if running in IIS is set to ON, the default is

File_uploads = On
Whether to allow HTTP file uploads.

Upload_tmp_dir =
The temporary directory where files are stored when the file is uploaded (must be a user-writable directory of the PHP process).
If not specified, PHP uses the system default temp directory.

Upload_max_filesize = 2M
Maximum size of files allowed to be uploaded.

Allow_url_fopen = On
Whether to allow remote files to open.

Allow_url_include = Off
Whether to allow Include/require remote files.

From= ""
Define the password for anonymous FTP

User_agent= "PHP"
Indicates access to the network through a PHP script

The default socket timeout time.

Auto_detect_line_endings = Off
Whether to let PHP automatically detect line terminator (EOL).

The default time zone used for all date and time functions when the TZ environment variable is not set.

Date.sunrise_zenith =
Default latitude and longitude, sunrise and sunset Zenith.

When this configuration is enabled, the Filter_input method is automatically used for $_get, $_post, $_cookie, $_request, and
The $_server variable is filtered and escaped.

Sets the flag for the filter. By default, this configuration is set to ' filter_flag_no_encode_quotes ', in order to back
Compatible. View all the ' flag lists '.

Sql.safe_mode = Off
Sets whether to use SQL security mode.
If you open, the database connection function that specifies the default value will use these default values instead of the supported parameters.

Mysql.allow_persistent = On
Set whether to allow or disallow persistent connections

Maximum number of persistent connections-1 means no limit

Mysql.max_links =-1
Maximum number of connections allowed per process (persistent and non-persistent), 1 for unlimited

Mysql.default_port =
Link to the MySQL port.
If not specified, it will be searched in the following order
(1) $MYSQL _tcp_port environment variables
(2) Mysql-tcp Item (Unix) in the/etc/services file
(3) Mysql_port constants specified at compile time

Mysql.default_socket =
Default socket name used when connecting to the native MySQL server, using the built-in MySQL default value if not specified

Mysql.default_host =
The default host to use when connecting to the MySQL database. Invalid in Safe mode

Mysql.default_user =
The default user name to use when connecting to the MySQL database. Invalid in Safe mode

Mysql.default_password =
The default password to use when connecting to the MySQL database. Invalid in Safe mode

Mysql.connect_timeout = 60
Connection Timeout settings

Mysqli.reconnect = Off
Set whether to allow reconnection

Session.save_handler = "Files"
The processor name that stores and retrieves the data associated with the session. The default is file ("files").
If you want to use a custom processor (such as a database-based processor), "User" is available.

Session.save_path = "/tmp"
The parameters passed to the storage processor. For the files processor, this value is the path to the creation of the session data file.

Controls which method the client uses when saving SessionID, when it is "1", it indicates that the session cookie was started (
The initial value of 1) can be queried using the function we mentioned above to get the current session Id:echo $_cookie
["Phpsessid"]; however, if the client's browser does not support cookies, even if the session.use_cookies
The value of the number equals "1", and the query above will only get null.

This option allows administrators to protect users who pass the session ID in the URL from being attacked
The name of the session (used as the cookie name). Saved in the browser cookie of the client

Session.auto_start = 0
Initializes the session at the beginning of the request.

Session.cookie_lifetime = 0
The number of seconds the cookie will survive, or if it is 0, until the browser restarts.

Session.cookie_path =/
Valid path for cookies

Session.cookie_domain =
A valid domain name for the cookie.

If the HTTPONLY flag is added to the cookie, the cookie cannot be added to the browser's scripting language (for example
JavaScript) Access.

Session.serialize_handler = PHP
The processor used to serialize the data. PHP is the standard PHP serializer.

session.gc_probability = 1
Session.gc_divisor = 100
Defines the scale at which the garbage collection process starts at each session initialization. The proportions are gc_probability/gc_divisor.
To derive, for example. 1/100 means there is a 1% chance to start the ' garbage collection ' process on each request.

Session.gc_maxlifetime =1400
After the following number of seconds, the stored data is considered ' junk ' and cleaned up by the garbage collection process.

session.bug_compat_42 =
php4.2 and earlier versions have an undisclosed feature/bug, which allows you to initialize a session variable globally,
The register_globals has been shut down. If this feature is used, PHP 4.3 and earlier versions will warn you. You can turn off
This attribute is closed and this warning is quarantined. At this time, if you open bug_compat_42, then this warning is only shown

Session.referer_check =
Check the HTTP referer to prevent external URLs with IDs. Http_referer must contain this field from the session to be
Considered to be legal.

Session.entropy_length = 0
How many bytes are read from this file.

Session.entropy_file =
Specify here to create the session ID.

Session.cache_limiter = NoCache
Set to {Nocache,private,public,} to determine the type of HTTP buffer to leave blank prevents the anti-caching header from being sent.

Session.cache_expire = 180
The setup document expires after 180 minutes.

session.hash_function = 0
Select the hash method, 0 means md5,1 represents SHA-1

Session.hash_bits_per_character = 5
When converting binary hash data into readable form, there are several characters per word.
4 bits:0-9, A-f
5 bits:0-9, A-v
6 bits:0-9, A-Z, a-Z, "-", ","
Sets whether the assertion (expr) is open.

Assert.warning = On
Initiates a PHP warning for each failed assertion.

Assert.bail = Off
Is confidential

Assert.callback = 0
If the assertion fails, the user-defined function is called.

Assert.quiet_eval = 0
Uses the current error_reporting () to eval an expression. If you want to error_reporting (0) near Eval (),
That is set to true.

Com.typelib_file =
The path to the file that contains the file name of Guid,iid or TypeLibs

Com.allow_dcom = True
Allow Distributed-com to invoke

Com.autoregister_typelib = True
Constants for automatically registering components typlib in the Com_load () function

Com.autoregister_casesensitive = False
Register constant Large lowercase sensitive

Com.autoregister_verbose = True
Display warnings when duplicate constants are registered

Mbstring.language = Japanese
The language in which the inner character is represented.

mbstring.internal_encoding = EUC-JP
Some encodings cannot be used as internal encodings.

Mbstring.http_input = Auto http
Enter the encoding.

Mbstring.encoding_translation = Off
Turn on automatic encoding conversion as set by Mbstring.internal_encoding. When set to on, the input characters are converted to internal
Part code.

Mbstring.detect_order = Auto
Automatic Code detection sequence

Mbstring.substitute_character = none;
Displacement symbols used when a character cannot be converted from one to another

Gd.jpeg_ignore_warning =0
Tells the JPEG decoder libjpeg warning and tries to create a GD image. This warning is displayed as a notification

soap.wsdl_cache_dir= "/tmp"
Sets the directory where the SOAP extension holds the buffered files.

Sets the number of seconds when the buffer file is used to replace the original buffer file.

PHP Security Configuration:

PHP.ini configuration file

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: