PHP is an interpreted language that allows multiple policies are configured, both the core of the language and its extensions.
Each policy has a “mode shift” that defines where and when it can be modified. For example, some can only be set in the settings file managed by the server administrator, for security reasons, while others can be changed by the programmer in the application itself.
The modes change the policies are:
PHP_INI_USER - can be changed with ini_set, file .user.ini or in the Windows registry.
PHP_INI_PERDIR - Can be modified in php.ini, .htaccess, httpd.conf or .user.ini.
PHP_INI_SYSTEM - Can be modified in php.ini or httpd.conf.
PHP_INI_ALL - can be modified anywhere.
Note: some policies belonged to a mode change by a certain version of PHP, but switched to another mode in another version of PHP. This information is displayed in the list of language policy.
1.0 Configuration files (php.ini)
The default settings are defined in the PHP files “ini” which have syntax based on simple key/value. They are loaded so that a script starts running, but the values can be cached and re-loaded periodically for performance.
The file name may vary according to sapi used. For example, the default file is php.ini, but if you run the CLI sapi (PHP commands in terminal) is the sought php-cli.ini file and if it is not found, it uses the default file .
These files are in a directory server settings (on Linux are usually in the directory “/etc/”, although this site may be modified during the compilation of PHP or some alternative, although not common). Usually only the server administrator has access to these files for changes, for security reasons. This is especially useful for hosting servers, where scripts from one domain can not interfere in another.
2.0 Settings by Programmer
There are basically 3 ways programmer override the settings of PHP: through ini_set (at runtime), the .htaccess (if using Apache) or file .user.ini (an alternative created in PHP 5.3). Note that in these cases, the behavior is modified specifically for a script or set of scripts and not all PHP files, as with the php.ini file.
2.1 Using ini_set
Using ini_set, simply specify two parameters: the first is the policy name and the second is the value you want to apply to it (as a string). To get the current value of the policy, there is a function ini_get (simply enter the name of the policy). For the value of all policies, or any policies of an extension, there is a function ini_get_all. And to return the policy value to its initial value (when started the script), just use the function ini_restore stating which policy should be restored. example:
2.2 Using .htaccess
Use the file .htaccess for Apache servers is allowed in PHP is being used as a module. Apache must be properly configured to accept this type of file in the application directory. In this case, a policy can be defined using two syntaxes. A non-Boolean values to set and another to set boolean values (which may take “on” or “off”) as examples:
php_value memory_limit 128M
php_flag display_errors off
Note: in httpd.conf policies can be modified with php_admin_value and php_admin_flag. This can be useful to apply different settings for different directories (or different virtual hosts).
2.3 Using .user.ini
Use the file .user.ini is an alternative to the .htaccess, and was incorporated to PHP in version 5.3. For now, it can only be used by SAPIs CGI or Fast CGI. The syntax used in these files is identical to that used in php.ini.
The file name used for this type of configuration ( “.user.ini“) can be modified in php.ini through policy user_ini.filename. This is typically required when the application is already using that name for another purpose.
Note: it is recommended to hide access to this file, as well as (usually) is done with .htaccess to prevent it can be read by any user accessing the system.
3.0 Settings useful to know
- display_errors and display_startup_errors - Indicates whether errors should be displayed or omitted (normally “on” in the development environment and “off” in the production environment).
- log_errors - Indicates whether errors should be logged to a log file (usually “off” when “display_errors” is “on”, and vice versa).
- report_memleaks - Indicates whether the bursts of memory should be shown/logged (usually “on”).
- memory_limit - amount of memory reserved for PHP during script execution. Normally a simple script needs no more than 10M, but some require much more than that. The directive must be set to a reasonable value for the expanded application and, in cases of tools that require more memory. To evaluate memory usage, see the functions memory_get_peak_usage and memory_get_usage.
- max_execution_time - Sets the maximum time the script can run before it is aborted automatically by PHP (usually “30″, but can be configured with higher values for heavier tools).
- precision - Sets the precision of decimal places for real numbers (usually 14).
- date.timezone - Sets the default timezone of the application (eg “America / Sao_Paulo”)
- default_mimetype - Sets the mimetype of files generated by PHP which have left with the explicit call to header (‘Content-type: …’) (eg “text/html” or “application/xhtml+xml”).
- default_charset - Sets the default charset of the files generated by PHP which have left with the explicit call to header (‘Content-type: …; charset = …’).
- short_open_tag - Defines whether the application will accept the abbreviated notation of PHP tags: “<?” and “?>” (recommended “on” only in closed applications whose portability is not important).
- aps_tags - Defines whether the application will accept the notation ASP to PHP tags “<%” and “%>” (recommended “on” only in closed applications, where portability is not important).
- register_globals - Defines whether the application will create global variables to values derived from EGPCS (Environment, GET, POST, Cookie, Server). It is strongly recommended to use “off” because it is a deprecated feature which makes the application more prone to security breaches.
- magic_quotes_runtime and magic_quotes_gpc - sets whether addslashes automatically applied on the data submitted. It is strongly recommended to use “off” because it is a deprecated feature and featuring a performance disadvantage.
- arg_separator.output - Separator used by standard PHP functions that build URL. It is recommended “&”, especially for applications XHTML).
- session.auto_start - Automatically log (usually “off”)
- session.use_trans_sid - Indicates whether sessions can use the mechanism of “transparent sid” to travel the session keys (data passed by GET) (it is strongly recommended “off” for security reasons).