Developer

A tour of the PHP.INI configuration file, part 2

The first part of this article introduced you to the php.ini file. This second part goes deeper, covering topics such as how to activate PHP's extensions, setting resource limits for your PHP scripts, and altering configuration variables on the fly through a PHP script.

The first part of this article introduced you to the php.ini file, explained its structure, and showed you how to adjust PHP's search path, error handling, and parser options. This second part goes deeper into the configuration file, covering topics such as how to activate PHP's extensions, setting resource limits for your PHP scripts, and altering configuration variables on the fly through a PHP script.

Activating extensions

A number of different extensions are available for PHP. On UNIX systems, extensions need to be built at compile-time; on Windows, binary DLL files are included with the PHP distributions. The extension_dir variable contains the name of the directory PHP should look in for these extensions.

extension_dir = "C:\Program Files\Internet Tools\Apache\bin\php4\extensions"

The Windows PHP distribution comes with over 20 different extensions, and they're all listed (though commented out) in the php.ini file. To activate a particular extension, simply remove the semicolon at the beginning of the line and restart the server. To deactivate an extension (say, for better performance), add a semicolon to comment out the line.

If the extension is not listed in the file, use the extension variable, and pass it the file name of the corresponding DLL.

extension=php_domxml.dll
extension=php_dbase.dll

Setting extension-specific variables

Extension-specific variables are stored in separate sections of the configuration file. For example, all the variables related to the MySQL extension should be in the [MySQL] section of the php.ini file.

If you're going to use PHP's mail() function, there are three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail messages through PHP's mail() function. On Windows, these variables set the SMTP server to be used and the From: address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent) for mail delivery:

SMTP = myserver.localnet.com
sendmail_from = me@localhost.com
sendmail_path = /usr/sbin/sendmail

The java.class.path, java.home, java.library and java.library.path variables all set the directories to look in for Java classes and libraries. These values are used by the Java extension, so make sure you set them correctly if you want PHP to integrate correctly with your Java applications:

java.class.path = .\php_java.jar
java.home = c:\jdk
java.library = c:\jdk\jre\bin\hotspot\jvm.dll
java.library.path = .\

The session.save_path variable specifies the temporary directory for session information. Normally, this defaults to /tmp, but since this directory does not exist on Windows systems, you must reset it to the appropriate Windows temporary directory or else the session handler will pop up unsightly error messages whenever you call session_start(). You can also control how long a session cookie remains valid, in seconds, with the session.cookie_lifetime variable:

session.save_path = c:\windows\temp
session.cookie_lifetime = 1800

Security settings

There are a number of variables in php.ini related to the security of your PHP installation. The most interesting of these is the safe_mode variable, recommended for ISPs and shared-hosting services as it limits the things a user can do with PHP:

safe_mode = Off

With safe mode turned on, you can specify which directories are searched for files with the safe_mode_include_dir variable. You can also restrict the types of programs a PHP script can run with the exec() command by placing the program binaries in a special directory and telling PHP about it via the safe_mode_include_dir variable. Only binaries in this directory will be accessible via exec():

safe_mode_include_dir = /usr/local/lib/php/safe-include
safe_mode_exec_dir = /usr/local/lib/php/safe-bin

You can restrict file operations with the open_basedir variable, which sets the named directory as the root for file operations. When this value is set, files outside the named directory tree will be inaccessible to PHP. This is a good way to restrict a shared system's users to their own home or Web directories:

open_basedir = /home/web/

The max_execution_time variable sets the maximum number of seconds PHP will wait for a script to finish executing before forcibly terminating it. This comes in handy when your script spirals into an infinite loop. However it can trip you up if you have a legitimate activity that takes time to complete—for example, a large file upload. In such situations you should consider increasing this value to avoid having PHP shut down your script when it's in the middle of something important.

max_execution_time = 90

Speaking of uploads, now let's look at how you configure for uploads and form variables.

Configuring file uploads and form variables


If the security configurations we discussed earlier aren't enough, you can secure your system even further by either turning off file uploads, through the file_uploads variable, or by setting a limit on the maximum size of an upload with upload_max_filesize. Generally you'll want to set a fairly small file size unless you have an application that is designed to accept files, such as an image gallery or a Web-based FTP service:

file_uploads = On
upload_max_filesize = 2M

If you're not interested in uploading files but use a lot of forms in your PHP application, there are two variables that will be of particular interest to you—first, the register_globals variable, the cause of much heartache to longtime PHP developers. In PHP 3.x, this variable was On by default, leading form variables to be automatically converted to PHP variables when a form was submitted.

Security concerns led to this variable being set to Off in PHP 4.x. As a result, form variables could only be accessed through the special $_GET and $_POST arrays. This broke many scripts written in PHP 3.x, and forced developers to rewrite and retest their scripts. For example, the value entered into the field <input type="text" name="email"> would be available as $email in a PHP 3.x script, but as $_POST['email'] or $_GET['email'] in a PHP 4.x script.

You should generally set this variable to Off, as that offers greater security against script attacks through forms. For compatibility with older PHP 3.x scripts, turn it On:

register_globals = Off

Also related to form submission is the post_max_size variable, which controls the maximum amount of data that PHP will accept in a single form submission with the POST method. It's unlikely you'll ever need to increase this from the default value of 8 MB; instead, you should probably reduce it to a more realistic figure. However, if you're planning on using the file upload features of PHP, keep this value greater than the value of upload_max_filesize.

post_max_size = 8M

New in PHP 5 is the max_input_time variable, which sets a time limit in seconds for receiving input data through POST, GET, and PUT. If your application is running over a slow link, it is sometimes worthwhile to explore increasing this value to allow the script more time to receive input data.

max_input_time = 90

Tweaking performance

There are even some values you can tweak to improve the performance of the PHP interpreter. In order to avoid runaway scripts using up all the available memory on the system, PHP allows you to define limits on memory usage. This value is set via the memory_limit variable, and it specifies the maximum memory a single script may use:

memory_limit = 8M

The memory_limit value should generally be higher than the value of post_max_size.

Another thing you can do to improve performance is disable the $argc and $argv variables, which store the number of arguments passed to an application on the command line as well as the actual argument values.

register_argc_argv = false

Similarly, disable the $HTTP_GET_VARS and $HTTP_POST_VARS arrays, since you're unlikely to use them in the modern world of $_GET and $_POST. Disabling these features can improve performance, but is only available in PHP 5 via the register_long_arrays variable.

register_long_arrays = false

The ini_set() function

Finally, a note on the ini_set() function. While PHP reads all its settings at startup from the php.ini configuration file, it also lets you override those settings on a per-script basis with the very cool ini_set() function. This function accepts two arguments: the name of the configuration variable to alter, and its new value. Here is an example, which increases the maximum execution time for the script in which it appears:

<?php
ini_set('max_execution_time', 600);

// more code
?>

The setting only affects the script in which it is set. Once the script has completed executing, the original value of the variable is restored automatically.

If your PHP applications are running on a shared server, it's unlikely that you will have access to the master php.ini configuration file. The ini_set() function can help significantly by allowing you to reconfigure PHP on the fly for your special needs.

Editor's Picks

Free Newsletters, In your Inbox