The first
part
of this article introduced you to the php.ini file, explained its structure, and showed you how to adjust
PHP’s search path, error handling, and parser options. This second part goes
deeper into the configuration file, covering topics such as how to activate
PHP’s extensions, setting resource limits for your PHP scripts, and altering configuration
variables on the fly through a PHP script.

Activating extensions

A number of different extensions are available for PHP. On
UNIX systems, extensions need to be built at compile-time; on Windows, binary
DLL files are included with the PHP distributions. The extension_dir variable contains the name of the directory PHP
should look in for these extensions.

extension_dir = “C:\Program Files\Internet Tools\Apache\bin\php4\extensions”

The Windows PHP distribution comes with over 20 different
extensions, and they’re all listed (though commented out) in the php.ini file. To activate a particular
extension, simply remove the semicolon at the beginning of the line and restart
the server. To deactivate an extension (say, for better performance), add a
semicolon to comment out the line.

If the extension is not listed in the file, use the extension variable, and pass it the file
name of the corresponding DLL.

extension=php_domxml.dll
extension=php_dbase.dll

Setting extension-specific variables

Extension-specific variables are stored in separate sections
of the configuration file. For example, all the variables related to the MySQL
extension should be in the [MySQL] section of the php.ini file.

If you’re going to use PHP’s mail() function, there are
three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail
messages through PHP’s mail() function. On Windows, these variables set the
SMTP server to be used and the From:
address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent)
for mail delivery:

SMTP = myserver.localnet.com
sendmail_from = me@localhost.com
sendmail_path = /usr/sbin/sendmail

The java.class.path,
java.home, java.library and java.library.path
variables all set the directories to look in for Java classes and libraries.
These values are used by the Java extension, so make sure you set them
correctly if you want PHP to integrate correctly with your Java applications:

java.class.path = .\php_java.jar
java.home = c:\jdk
java.library = c:\jdk\jre\bin\hotspot\jvm.dll
java.library.path = .\

The session.save_path
variable specifies the temporary directory for session information. Normally,
this defaults to /tmp, but since this
directory does not exist on Windows systems, you must reset it to the appropriate
Windows temporary directory or else the session handler will pop up unsightly
error messages whenever you call session_start(). You can also control how long
a session cookie remains valid, in seconds, with the session.cookie_lifetime variable:

session.save_path = c:\windows\temp
session.cookie_lifetime = 1800

Security settings

There are a number of variables in php.ini related to the
security of your PHP installation. The most interesting of these is the safe_mode variable, recommended for ISPs
and shared-hosting services as it limits the things a user can do with PHP:

safe_mode = Off

With safe mode turned on, you can specify which directories
are searched for files with the safe_mode_include_dir
variable. You can also restrict the types of programs a PHP script can run with
the exec() command by placing the program binaries in a special directory and
telling PHP about it via the safe_mode_include_dir
variable. Only binaries in this directory will be accessible via exec():

safe_mode_include_dir = /usr/local/lib/php/safe-include
safe_mode_exec_dir = /usr/local/lib/php/safe-bin

You can restrict file operations with the open_basedir variable, which sets the
named directory as the root for file operations. When this value is set, files
outside the named directory tree will be inaccessible to PHP. This is a good
way to restrict a shared system’s users to their own home or Web directories:

open_basedir = /home/web/

The max_execution_time
variable sets the maximum number of seconds PHP will wait for a script to
finish executing before forcibly terminating it. This comes in handy when your
script spirals into an infinite loop. However it can trip you up if you have a
legitimate activity that takes time to complete—for example, a large file
upload. In such situations you should consider increasing this value to avoid
having PHP shut down your script when it’s in the middle of something
important.

max_execution_time = 90

Speaking of uploads, now let’s look at how you configure for
uploads and form variables
.

Configuring file uploads and form variables

If the security configurations we
discussed earlier
aren’t enough, you can secure your system even further by
either turning off file uploads, through the file_uploads variable, or by setting a limit on the maximum size of
an upload with upload_max_filesize. Generally
you’ll want to set a fairly small file size unless you have an application that
is designed to accept files, such as an image gallery or a Web-based FTP
service:

file_uploads = On
upload_max_filesize = 2M

If you’re not interested in uploading files but use a lot of
forms in your PHP application, there are two variables that will be of particular
interest to you—first, the register_globals
variable, the cause of much heartache to longtime PHP developers. In PHP 3.x,
this variable was On by default, leading form variables to be automatically
converted to PHP variables when a form was submitted.

Security concerns led to this variable being set to Off in
PHP 4.x. As a result, form variables could only be accessed through the special
$_GET and $_POST arrays. This broke many scripts written in PHP 3.x, and forced
developers to rewrite and retest their scripts. For example, the value entered
into the field <input type=”text” name=”email”> would
be available as $email in a PHP 3.x script, but as $_POST[’email’] or
$_GET[’email’] in a PHP 4.x script.

You should generally set this variable to Off, as that
offers greater security against script attacks through forms. For compatibility
with older PHP 3.x scripts, turn it On:

register_globals = Off

Also related to form submission is the post_max_size variable, which controls the maximum amount of data
that PHP will accept in a single form submission with the POST method. It’s
unlikely you’ll ever need to increase this from the default value of 8 MB;
instead, you should probably reduce it to a more realistic figure. However, if
you’re planning on using the file upload features of PHP, keep this value
greater than the value of upload_max_filesize.

post_max_size = 8M

New in PHP 5 is the max_input_time
variable, which sets a time limit in seconds for receiving input data through
POST, GET, and PUT. If your application is running over a slow link, it is
sometimes worthwhile to explore increasing this value to allow the script more
time to receive input data.

max_input_time = 90

Tweaking performance

There are even some values you can tweak to improve the
performance of the PHP interpreter. In order to avoid runaway scripts using up
all the available memory on the system, PHP allows you to define limits on
memory usage. This value is set via the memory_limit
variable, and it specifies the maximum memory a single script may use:

memory_limit = 8M

The memory_limit
value should generally be higher than the value of post_max_size.

Another thing you can do to improve performance is disable
the $argc and $argv variables, which store the number of arguments passed to an
application on the command line as well as the actual argument values.

register_argc_argv = false

Similarly, disable the $HTTP_GET_VARS and $HTTP_POST_VARS
arrays, since you’re unlikely to use them in the modern world of $_GET and
$_POST. Disabling these features can improve performance, but is only available
in PHP 5 via the register_long_arrays
variable.

register_long_arrays = false

The ini_set() function

Finally, a note on the ini_set() function. While PHP reads
all its settings at startup from the php.ini
configuration file, it also lets you override those settings on a per-script
basis with the very cool ini_set() function. This function accepts two
arguments: the name of the configuration variable to alter, and its new value.
Here is an example, which increases the maximum execution time for the script
in which it appears:

<?php
ini_set('max_execution_time', 600);

// more code
?>

The setting only affects the script in which it is set. Once
the script has completed executing, the original value of the variable is
restored automatically.

If your PHP applications are running on a shared server,
it’s unlikely that you will have access to the master php.ini configuration file. The ini_set() function can help
significantly by allowing you to reconfigure PHP on the fly for your special
needs.