PHP Configuration - Webmaster Sherpa

The default configuration for PHP may very well suit all your coding needs just fine. Sometimes, however, it won’t. Generally speaking there are three ways to make changes to your PHP configuration:

Modify the php.ini file if you have access to it. Some hosting plans will allow you to access and modify this file and some won’t. Personally, I would recommend choosing a plan that does.
Use an .htaccess file. Generally, this option applies to the directory in which the .htaccess file is placed.
Modify a configuration option within a PHP script (typically via a special PHP command or via the ini_set command). Generally, the configuration option will keep the new value during the script’s execution, and will be restored at the script’s ending. One important thing to realize about making changes via your PHP script is that many settings, although they do get set, have no influence in your script. For example, the upload_max_filesize option can be set, but uploaded files are passed to your PHP script before the settings are changed.

Below are the most common issues I have come across that may require a change to your PHP setup. Where appropriate I illustrate how to make the changes in the .htaccess file or a PHP script. Changing the php.ini file is usually just a matter of searching for the specific configuration option and editing its value.

Note: some of the changes listed below cannot be made directly in your PHP script if your PHP installation is running in safe mode. I have to further investigate which ones, but timeout is definitely one. What’s worse, unless you are using fairly strict error reporting (beyond the typical default level of reporting), you won’t realize that your configuration setting is being ignored.

Magic Quotes (magic_quotes)

From Wikipedia:

Magic quotes are a controversial feature of the PHP scripting language, intended to help prevent inexperienced developers from writing code which is vulnerable to SQL injection attacks. With magic_quotes turned on, single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_POST and $_COOKIE global variables.

Problems with magic quotes include:

Not all data that is supplied by the user is intended for insertion into a database. It may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps in even in widely used software.
Magic quotes also use the generic functionality provided by PHP’s addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.
Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled.
Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
Magic quotes do not protect against other common security vulnerabilities such as cross site scripting attacks or SMTP header injection attacks.

In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.

I myself have fallen victim to magic_quotes headaches. When I first started coding in PHP and they were enabled by default on my server I got used to them but sometimes suffered the consequences of forgetting they were turned on. Since then, I try not to use them but I still run into occasional problems with third party scripts which make assumptions about whether magic_quotes are enabled or not.

Change via .htaccess file:

php_flag magic_quotes_gpc on

Change via PHP script:

set_magic_quotes_runtime (1)

An Approach to Dealing With Magic Quotes

One approach to dealing with magic_quotes issues is to create your own addslashes function that adds slashes when magic_quotes is turned off and doesn’t if turned on. Here is what such a function could look like:

<?php

function myaddslashes ($string) {

if (get_magic_quotes_gpc()==1) {

return ($string);

} else {

return ( addslashes($string) );

}

If you use this function for all your database work, your code will run everywhere.

The long and short of magic_quotes is that they are a pain and should be avoided. It probably would have been better if they had never been invented!

Timeout

PHP scripts are aborted after a maximum execution time has been exceeded. The default is 30 seconds.

Change via .htaccess file:

php_value max_execution_time 60

Change via PHP script:

set_time_limit(50);

Global Variables

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier. Prior to PHP 4.2.0, register_globals was on by default. Since that version it has been set to off by default.

Change via .htaccess file:

php_flag register_globals off

Change via PHP script:

Setting register_globals in your PHP script won’t be very helpful.

display_errors and error_display

You can choose to turn error displaying on or off OR you can change specific error_display settings to suit your needs.

Change via .htaccess file:

php_flag display_errors off

php_value error_reporting "E_ALL"

Change via PHP script:

Within a PHP script use the error_reporting option, either alone or via the ini-set command. Common examples:

// Turn off all error reporting

error_reporting(0);

// Report simple running errors

error_reporting(E_ERROR | E_WARNING | E_PARSE);

// Reporting E_NOTICE can be good too (to report uninitialized

// variables or catch variable name misspellings ...)

error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);

// Report all errors except E_NOTICE

// This is the default value set in php.ini

error_reporting(E_ALL ^ E_NOTICE);

// Report all PHP errors (bitwise 63 may be used in PHP 3)

error_reporting(E_ALL);

// Same as error_reporting(E_ALL);

ini_set('error_reporting', E_ALL);

include_path

The include_path option specifies a list of directories where the require(), include(), fopen(), file(), readfile() and file_get_contents() functions look for files. The format is like the system’s PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows.

Unix include_path example:

include_path=".:/php/includes"

Windows include_path ecample:

include_path=".;c:phpincludes"

Change via .htaccess file:

php_value include_path "your/include/path/here"

Change via PHP script:

ini_set("include_path", ".:../:./include:../include");

Memory Limit

Like the maximum execution time, PHP has a memory limit. If you are running a script that requires a lot of memory (a large database query, for example) then you may run into problems.

Change via .htaccess file:

php_value memory_limit "16M"

Change via PHP script:

ini_set("memory_limit","16M");

Subject: Configuring and Administering Your Server

Like this content? Why not share it?