PHP Initialization and Configuration

NYPHP - PHundamentals

The settings in php.ini control various aspects of PHP’s behavior. The default settings are not always optimal for a production environment. Here we present NYPHP’s recommendations for setting key initialization parameters.

Essential Settings

  1. Always set register_globals to off. Setting it to on may make it easier to pass variables from one script to another, but it opens unacceptable security vulnerabilities. Zend’s rationale for turning this value off by default is here.
  2. Always set magic_quotes_gpc and magic_quotes_runtime and magic_quotes_sybase to off. See the PHundamentals article on storing and retrieving/displaying data for further information on managing these complex settings.
  3. Always set log_errors to on, and set error_log to an appropriate path if the default is not suitable.
  4. Set any necessary extensions to be loaded automatically.

Convenience Settings

Set these file settings to appropriate values if for some reason the defaults are not acceptable:

  1. include_path PHP will look for files here when you use the require or include or require_once or include_once directives.
  2. extension_dir
  3. upload_tmp_dir Probably should be changed in a shared server environment.
  4. sendmail_from
  5. session.save_path Probably should be changed in a shared server environment.
  6. auto_prepend_file PHP will run this file before it runs your script.
  7. auto_append_file PHP will run this file after it runs your script.

Set these execution settings to appropriate values:

  1. upload_max_filesize (which defaults to 2M) if you expect large file uploads (for example, graphics files)
  2. max_execution_time (which defaults to 30 seconds), usually smaller unless you are doing heavy calculations

Settings for Development Environments

  1. Set memory_limit (which defaults to 8M) to a large enough value to avoid any potential problem.
  2. Set display-errors and track_errors to on. Set error_reporting to E_ALL & ~E_NOTICE. These settings facilitate debugging, and should be set to off in a production environment.

How to Modify Settings

When You Control the Server

  1. The simplest solution is to modify php.ini, changing appropriate settings to on or off, and enabling extensions by removing the semi-colon ; which comments them out. One problem with this solution is that this makes these settings global to the server, whereas it might be more appropriate to have different settings for different applications.
  2. If so, an alternate solution is to modify Apache’s httpd.conf. You may do this using the <VirtualHost> directive to point the modifications to a specific application, or you may use the <Directory> or <Files> directives to limit them to a specific directory or files. In order to use these directives, you must run Apache with DEFINE EV (that is, define environment) set. The command line for this would be /usr/bin/httpd -DEV (or whatever the path to httpd is). Then a sample httpd.conf entry would be as follows:
    # make sure that you're running with -DEV
    <IfDefine EV>
      # point modifications at a virtual host or a directory or specific files
      <VirtualHost *>
        ServerAdmin foo at
        DocumentRoot "/var/dev/www"
        ServerName dev
        # PHP stuff goes here
        php_value auto_append_file "/var/dev/"
        php_value error_reporting "E_ALL"
        # end of PHP stuff

When You Don’t Control the Server

First use the phpinfo() function on the server to determine exactly how PHP is configured there; and then decide which values you will need to reset. NYPHP members recommend a variety of techniques to accomplish the actual resetting. Among them are the following:

  1. You can use a local php.ini when running PHP as a cli or cgi binary by using the -c switch upon invocation. More information is here. A sample local php.ini would be as follows:
    include_path = .:/path/to/global/includes:/path/to/local/includes
    register_globals = 0
    error_reporting = E_ALL
    display_errors = 1
  2. Or you can use the ini_set() function. More information is here. Notice that some directives can’t be set at all with ini_set(), and that these settings are valid only while the script in which they were set is running (so it will need to be called repeatedly for changes to be valid during a whole session). Further, using this function may affect the loading and running of PHP, so it should be used with extreme care.
  3. Or you can use an .htaccess file. This is exactly the same as modifying httpd.conf with the <Directory> directive; therefore, everything in .htaccess applies to both the directory the file is in and all directories below it. Note also that not all servers allow setting PHP values in .htaccess files. A sample .htaccess would be as follows:
    php_value include_path .:/path/to/global/includes:/path/to/local/includes
    php_value register_globals 0
    php_value error_reporting E_ALL
    php_value display_errors 1
    php_value auto_prepend_file path/to/my/functions/library/masterfile.php
  4. Finally, you can use a text file in parse_ini_file format, which can then be inserted into a script like this:
    $cfg = parse_ini_file('/path/to/config.conf');
    foreach($cfg as $key => $value) {
    More information is here.

For further information:
A list of which php.ini settings can be overridden by the user is here.
Information on using Apache’s httpd.conf is here.
PHP.NET’s own recommended php.ini is here.

Contributors to this article include the following:
Mark Armendariz
Jon Baer
Jeff Barrett
Daniel Convissor
John Corry
John Lacey
Alan T. Miller
David Mintz
Brian Pang
Chris Shiflett
Felix Zaslavskiy
Hans Zaunere
Nasir Zubair
and the PHundamentals team: Jeff Siegel and Mike Southwell