PHPMatters Help You Better Hosting Your PHP-based Sites
What Is PHP.INI & How about the Parameters?

What Is PHP.INI & How about the Parameters?

In our previous post, we have introduced you what is PHP $_POST. This time we are going to introduce you what is PHP.INI and some of its core parameters.

For experienced webmasters who have the advanced PHP knowledge, they can change the PHP settings to modify their websites for better performance and powerful functions. In this case, PHP.INI is a special file to achieve this goal.

What is PHP.INI

PHP.INIBefore learning PHP.INI, let’s have a basic understanding of INI. INI is the abbreviation of the word “initial”. It is the file name extension used in operating systems and particular programs. As the word “initial” implies, INI files are mainly used to do the initialization and parameter configuring works for the operating systems and programs. Now, we have learnt what INI is, it is easier to understand PHP.INI.

The PHP.INI is the configuration file for PHP. By editing it, you can change some specific settings for your account. Sometimes it already exists in your account but sometimes it does not. Under the latter circumstance, you can ask your hosting company for the php.ini file or create a new text file and name it php.ini by yourself.

The Core Parameters

ParametersA plenty of parameters are involved in the configuration of PHP.INI, such as register_globals, magic_quotes_gpc, safe_mode, etc. Here are 8 core parameters in php.ini that you may need when configuring your PHP setup.

The 1st parameter
The 1st parameter is register_globals, which affects the way the parameters be submitted to PHP and it can be either On or Off. When register_globals = on, this setting registers the contents of the $_REQUEST variables as global variables, which means no code is required when injecting variables and values into a program. Thus, it causes a high security problem to the administrator. When register_globals = off, users need to get the value from specific arrays, which largely increases the security level of the account. Therefore, we strongly suggest your register_globals being turned to Off.

The 2nd parameter
The 2nd one is safe_mode. Safe_mode is a crucial security setting that is embedded in PHP. In PHP, it is in charge of some functions like system() and exerts restriction on the visit to some core files as password. You should enable it manually for it defaults to Off.

The 3rd parameter
The 3rd setting is magic_quotes_gpc. This directive exerts an influence on HTTP request data, including those of GET, POST and COOKIE. If it is Off, the four characters – single-quote, double-quote, backslash and NULL – would escape from PHP, which can cause a serious security problem on the server of being rejected illegally. On the contrary, if it is On, the four characters contained in the data from GET, POST and COOKIE are escaped with backslashes, which is good for the PHP security. So defaulting magic_quotes_gpc to On is recommended.

ParametersThe 4th parameter
The 4th one is display_errors. This directive helps to determine the error messages for the browser. Pay attention that all the error messages, which contain the information about your web application environment, should be sent to the trusted sources. Otherwise, your sensitive information may be public to hackers. So display_errors should be disabled.

The 5th parameter
The 5th parameter is open_basedir. By configuring this setting, you can set up which PHP scripts can be visited, which can prevent the user’s home directory from being visited.

The 6th parameter
The 6th parameter is disable_functions. By using this directive, you can set a list of functions to be disabled; for fear that the improperly used functions may cause cracks to your server.

The 7th parameter
The 7th setting is COM objects. Com.allow_dcom directive defaults to True, and what you should do is to configure it to False. Because if it is True, hackers can operate the system command with COM() function, even though the PHP safe_mode is on.

The 8th parameter
The last parameter is expose_PHP, which determines whether to expose the version of PHP that has been installed on the server. When it is On, PHP would send version information in “X-Powered-By” HTTP Headers. As a result, hackers can get to know the version number of your software, which makes it easier for them to make use of the known vulnerabilities. Thus we strongly recommend setting expose_PHP=off.

The core settings have been presented above, most of which are related to the security issues. We have to remind you that after configuring php.ini, IIS needs to be restarted. Otherwise, all the settings would not take effect.