Configuring PHP: Essential INI Settings
Out Of Date Warning
Languages change. Perspectives are different. Ideas move on. This article was published on September 28, 2009 which is more than two years ago. It may be out of date. You should verify that technical information in this article is still current before relying upon it for your own purposes.
- Avoiding Notices: When to Use isset() and empty()
- Configuring PHP: Essential INI Settings
- Accessing Databases with PDO: A Primer
- To The New PHP Programmers…
- How To Write A Function In PHP
- Five Cool PHP Array Functions
- Micro Optimizations That Don’t Matter
- Adapting The Joel Test To Web Development
- Exceptional PHP: Introduction to Exceptions
- Suhosin: The Invisible Hand Of PHP
- Why You Should Replace ENUM With Something Else
When setting up a web server with PHP, there are a number of settings that are critical to consider. PHP 5.3 contains both a development INI file and a production INI file; however, users of older PHP releases (or those who don’t have direct control over their INI files) will want to pay attention and make sure that certain settings are configured.
These settings are the settings that I use whenever I configure a PHP server.
register_globals = Off A holdover from ancient PHP versions, this setting is by default turned off and should remain that way. Even though it is disabled by default, many hosts enable it to continue supporting legacy code; in your own code, I recommend you set it to off. You can turn it off on a directory basis using htaccess files.
magic_quotes_gpc = Off This is another old holdover from PHP, and is slated for removal in PHP 6, along with register_globals. This automatically adds slashes to all GET, POST and COOKIE data, meaning that a posted string of “This is my code’s string” gets converted to “This is my code\’s string”. magic_quotes_gpc offers NO security; you should turn it off. It can be turned off per directory.
error_reporting = E_ALL | E_STRICT This is the strictest error setting you can insist on from PHP. Some people will disagree with the E_STRICT statement; I think that it’s important that our code conform to high code standards, and that means having E_STRICT turned on. This should be done even on production, because you want to know about errors you’re getting from your code, even if you didn’t see them during testing.
display_errors = Off Even though we want to have PHP raise errors, we don’t want them displayed to the end user! Turn display_errors to off and log the errors instead. You can configure the log path in each directory, and you should make use of this feature. Displaying errors to the end user is a security vulnerability, because it allows them to determine the operating system and file structure of your application.
session.gc_maxlifetime = 28800 This setting is how long a session is valid on your system. The default length of time is a paltry 1140 seconds, or 24 minutes. That means that someone reading a long article behind a login portal might get logged out after they’re finished. The setting I use is 8 hours, which is enough time for most users. You can also use four hours (14,400 seconds).
short_open_tag = 0 This is on by default, but using short tags (<?) is bad form. Turn it off and don’t utilize it. (Edit) There are two reasons for this. First, and the more rare reason, is that it could create problems with XML parsing. If you ever have the need to embed PHP in XML (as I did once), you may run into this. This is rare, but possibe. Second, and more common, is that if you ever change hosts, or start using a host that configures PHP for you, they may disable the short tags by default. This could leave you scrambling for a fix for your code. Changing 20,000 <? into <?php can take a long time (I’ve done it; it can be a pain).
upload_max_filesize = 10M & post_max_size = 11M If you do anything with file uploads, you’ll find that the default 2 MB is woefully inadequate. I set mine to at least 10 MB, to ensure that most files I want are uploaded. You’ll also want to up the post_max_size due to the fact that it is set to a default of 8 MB, which will cause your file upload to break.
How to Set PHP Directives In htaccess Files
Finally, a discussion of how to set these values: if you make use of a shared host, you won’t be able to get direct access to the php.ini file. There are two different htaccess directives you need to be aware of: php_flag and php_value. The use of php_flag is reserved for boolean values, like register_globals and magic_quotes_gpc. You use php_value for things that are not boolean, like error_reporting and error_log.
For example, the syntax for turning off register_globals is as follows:
The syntax to set the error log file path is as follows:
This blog entry implements The Beginner Pattern.