Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PHP Settings in Plesk

Posted on 2013-05-25
8
Medium Priority
?
1,126 Views
Last Modified: 2013-05-27
PHP Experts - I have not worked extensively in PHP until now and setting up a new PHP on a windows server using Plesk and  PHP 5.4.15.  There are some settings I would like some opinions on.  I don't need each one, but if any few of these you have a strong opinion on.  

For instance, there is an option for error reporting to go to a file inside our outside the webroot.  If there is an error, I just don't want the actual error to be available except on the server like asp if that is possible.

Thanks!



memory_limit
The maximum amount of memory in bytes a script is allowed to allocate. Set the value to -1 to have no memory limit (not recommended). Use shortcuts for byte values: K (kilo), M (mega), and G (giga). For example, 128M.


max_execution_time
The maximum time in seconds a script is allowed to run before it is terminated.


max_input_time
The maximum time in seconds a script is allowed to parse input data.

post_max_size
The maximum size in bytes of data that can be posted with the POST method. Typically, should be larger than upload_max_filesize and smaller than memory_limit. Use shortcuts for byte values: K (kilo), M (mega), and G (giga). For example, 128M.


upload_max_filesize
The maximum size in bytes of an uploaded file. Use shortcuts for byte values: K (kilo), M (mega), and G (giga). For example, 128M.


Common settings
safe_mode
(Removed in PHP 5.4.0) Enables PHP safe mode. This mode puts a number of restrictions on scripts (say, access to file system) mainly for security reasons.

safe_mode_include_dir
(Removed in PHP 5.4.0) If PHP is in the safe mode and a script tries to access some files, files from this directory will bypass security (UID/GID) checks. The directory must also be in include_path. For example: /dir/inc

safe_mode_exec_dir
(Removed in PHP 5.4.0) If PHP is in the safe mode, scripts can execute external programs located only in this directory. For example: /dir/external

include_path
The list of directories where scripts look for files (similar to system's PATH variable). To separate directories, use a colon (:) on Linux and a semicolon (;) on Windows. For example, on Linux: .:/dir/inc:/usr/lib/php

session.save_path
The directory where PHP writes session data (files). For example: /dir/tmp

mail.force_extra_parameters
Additional parameters for the mail() function used to send mail. For example, to use your custom Sendmail configuration: -C /dir/conf.cf

register_globals
Tells whether to register the contents of the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This option is a great security risk, thus do not turn it on without necessity.

open_basedir
The list of directories used to limit the files that can be opened by PHP. If the file is outside the specified directories, PHP scripts will refuse to open it. To separate directories, use a colon (:) on Linux and a semicolon (;) on Windows. For example, on Linux: /dir/upload:/usr/tmp

error_reporting
The error reporting level.

display_errors
Determines whether errors should be printed to the screen as part of the output or if they should not be shown to a user.

log_errors
Tells whether to log errors. By default, errors are logged in the server's error log. Use the error_log directive to specify the path to your own log file.

allow_url_fopen
Allows PHP file functions to retrieve data from remote locations over FTP or HTTP. This option is a great security risk, thus do not turn it on without necessity.

file_uploads
Allows uploading files over HTTP.

short_open_tag
Allows the short form (<? ?>) of the PHP's open tag.

magic_quotes_gpc
(Removed in PHP 5.4.0) Sets the magic_quotes state for the GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash), and NULL special characters are escaped with the \ (backslash) automatically.
0
Comment
Question by:Scott Fell,  EE MVE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1000 total points
ID: 39197375
I generally don't change the setting in 'php.ini' from the default unless I have a reason to.  If you go here http://www.php.net/manual/en/ini.php you can see what all those things do including all the things removed in PHP 5.4.  You do need to set session.save_path to something that the web server and PHP can write to.  Since I put PHP in C:\PHP, I put session.save_path = "C:/PHP/save".  Make sure the directory permissions allow for writing.
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 1000 total points
ID: 39197583
Exactly what DaveBaldwin said!  Here are things I might like in the default installation of PHP.

Register Globals: Off
Magic Quotes: Off
Error_Reporting(E_ALL)
Log_Errors(TRUE)
Display_Errors(TRUE) and possibly suppressed in the runtime build
Allow_URL_FOpen(TRUE) for API compatibility
Date_Default_TimeZone_Set to something useful for most work

Things like Short_Open_Tag are mostly noise.  It's a configuration option that introduces an irrelevant complicating factor.  Just don't do that.

My $0.02, ~Ray
0
 
LVL 54

Author Closing Comment

by:Scott Fell, EE MVE
ID: 39197704
Thank you both!

I figured it was better to set the error log outside of the site as long as there are write privileges.

For suppressing error reporting at run time, do I just an include file at the top of each page with error_reporting(0);
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39197775
I never suppress error reporting... I want to know even if it means a customer calls and asks what's going on.  You can't fix what you don't know about.
0
 
LVL 54

Author Comment

by:Scott Fell, EE MVE
ID: 39197887
I know.   I show friendly errors to the public and detail errors only on the server for asp.   But that is done in iis/web.config.    I just want to avoid showing any type of error to help hackers.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39197962
Thanks for the points.  This is quite useful for runtime errors in a live setting.
http://php.net/manual/en/function.set-error-handler.php
0
 
LVL 54

Author Comment

by:Scott Fell, EE MVE
ID: 39199250
Does set_error_handler go on every page?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39199319
I'm sure it does like almost everything else in PHP.  The only place that all routines will have in common is the settings in 'php.ini'.  Things like set_error_handler() and ini_set() are used to override the settings in 'php.ini'.  Note that not all things can be changed at run-time.  http://us2.php.net/manual/en/function.ini-set.php
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
By, Vadim Tkachenko. In this article we’ll look at ClickHouse on its one year anniversary.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question