Php.ini configuration
A number of configuration directives are supported in the config/php.ini file which can be set to alter the behavior when executing PHP scripts.
If a directive is in the list but is not supported then you cannot change that directive in the php.ini file, and only the default behavior is provided. The default value is the value used if there is no value specified in the php.ini file (for example if the directive is commented out).
| Directive | Explanation | Supported | Default Value | Differences |
|---|---|---|---|---|
| optimization_level | This sets the level of optimization performed on the PHP code when it is compiled for execution. The default value provides the best performance while, at the same time, being safe for all applications. It may be set to "int" to force interpreted execution which performs more slowly. | Yes | 2 | This is an option that is specific to the runtime for PHP in WebSphere sMash. |
| code_cache | Enables the use of an in memory cache of compiled PHP code. This eliminates the parsing a compilation step for the second and subsequent run of a PHP file. It provides a performance improvement for repeatedly executed files. Additional heap space is required to hold this cache. The space required is dependant on the number and complexity of files that it holds. | Yes | On | This is an option that is specific to the runtime for PHP in WebSphere sMash. |
| code_cache_limit | Sets a limit on the number of files that will be held in the code cache. When this limit is reached entries are removed on a least recently used basis in order to accommodate new entries. | Yes | 400 | This is an option that is specific to the runtime for PHP in WebSphere sMash. |
| persistent_code_cache | Enables the use of a filesystem store of compiled PHP code, this is an extension of the memory based code cache, however it is not limited in size and persists over application stops and recycle events. | Yes | Off | This is an option that is specific to the runtime for PHP in WebSphere sMash. |
| persistent_code_cache_dir | Specifies the directory in which the persistent code cache is written. | Yes | . | This is an option that is specific to the runtime for PHP in WebSphere sMash. |
| map_locals | Specifies that local variables should always be available in a map data structure. This disables some performance optimisations. This is required such to ensure that the "context" parameter is always filled in when a user error handler is invoked. Default: Off | Yes | This is an option that is specific to the runtime for PHP in WebSphere sMash. | |
| zend.ze1_compatibility_mode | Enable compatibility mode with Zend Engine 1 (PHP 4.x) | No | Off | |
| short_open_tag | Allow the <? tag. Otherwise, only <?php and <script> tags are recognized. NOTE: Using short tags should be avoided when developing applications or libraries that are meant for redistribution, or deployment on PHP servers which are not under your control, because short tags may not be supported on the target server. For portable, redistributable code, be sure not to use short tags. | Yes | Off | |
| asp_tags | Allow ASP-style <% %> tags. | Yes | Off | |
| precision | The number of significant digits displayed in floating point numbers. | Yes | 14 | |
| y2k_compliance | Enforce year 2000 compliance (will cause problems with non-compliant browsers) | No | On | |
| output_buffering | Output buffering allows you to send header lines (including cookies) even after you send body content, at the price of slowing PHP's output layer a bit. You can enable output buffering during runtime by calling the output buffering functions. You can also enable output buffering for all files by setting this directive to On. If you wish to limit the size of the buffer to a certain size - you can use a maximum number of bytes instead of 'On', as a value for this directive (e.g., output_buffering=4096). | Yes | Off | |
| output_handler | You can redirect all of the output of your scripts to a function. Setting any output handler automatically turns on output buffering. Note: People who wrote portable scripts should not depend on this ini directive. Instead, explicitly set the output handler using ob_start(). Using this ini directive may cause problems unless you know what script is doing. | Yes | Off | |
| implicit_flush | Implicit flush tells PHP to tell the output layer to flush itself automatically after every output block. This is equivalent to calling the PHP function flush() after each and every call to print() or echo() and each and every HTML block. Turning this option on has serious performance implications and is generally recommended for debugging purposes only. | Yes | Off | |
| unserialize_callback_func | The unserialize callback function will be called (with the undefined class' name as parameter), if the unserializer finds an undefined class which should be instantiated. A warning appears if the specified function is not defined, or if the function doesn't include/implement the missing class. So only set this entry, if you really want to implement such a callback-function. | Yes | ||
| serialize_precision | When floats & doubles are serialized store serialize_precision significant digits after the floating point. The default value ensures that when floats are decoded with unserialize, the data will remain the same. | Yes | Off | |
| allow_call_time_pass_reference | Whether to enable the ability to force arguments to be passed by reference at function call time. This method is deprecated and is likely to be unsupported in future versions of PHP/Zend. The encouraged method of specifying which arguments should be passed by reference is in the function declaration. You're encouraged to try and turn this option Off and make sure your scripts work properly with it in order to ensure they will work with future versions of the language (you will receive a warning each time you use this feature, and the argument will be passed by value instead of by reference). | No | Off | Call time pass by reference is not supported. |
| safe_mode | Safe Mode | No | Off | |
| safe_mode_gid | By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. | No | Off | |
| safe_mode_include_dir | When safe_mode is on, UID/GID checks are bypassed when including files from this directory and its subdirectories. (directory must also be in include_path or full path must be used when including) | No | ||
| safe_mode_exec_dir | When safe_mode is on, only executables located in the safe_mode_exec_dir will be allowed to be executed via the exec family of functions. | No | ||
| safe_mode_allowed_env_vars | Setting certain environment variables may be a potential security breach. This directive contains a comma-delimited list of prefixes. In Safe Mode, the user may only alter environment variables whose names begin with the prefixes supplied here. By default, users will only be able to set environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). Note: If this directive is empty, PHP will let the user modify ANY environment variable! | No | putenv() is not supported so no environment variables can be changed. | |
| safe_mode_protected_env_vars | This directive contains a comma-delimited list of environment variables that the end user won't be able to change using putenv(). These variables will be protected even if safe_mode_allowed_env_vars is set to allow to change them. | No | putenv() is not supported so no environment variables can be changed | |
| open_basedir | open_basedir, if set, limits all file operations to the defined directory and below. This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file. This directive is *NOT* affected by whether Safe Mode is turned On or Off. | Yes | ||
| disable_functions | This directive allows you to disable certain functions for security reasons. It receives a comma-delimited list of function names. This directive is *NOT* affected by whether Safe Mode is turned On or Off. | No | ||
| disable_classes | This directive allows you to disable certain classes for security reasons. It receives a comma-delimited list of class names. This directive is *NOT* affected by whether Safe Mode is turned On or Off. | No | ||
| highlight.string | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #DD0000 | |
| highlight.comment | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #FF8800 | |
| highlight.keyword | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #007700 | |
| highlight.bg | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #FFFFFF | |
| highlight.default | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #0000BB | |
| highlight.html | Colors for Syntax Highlighting mode. Anything that's acceptable in <span style="color: ???????"> would work. | Yes | #000000 | |
| ignore_user_abort | If enabled, the request will be allowed to complete even if the user aborts the request. Consider enabling it if executing long request, which may end up being interrupted by the user or a browser timing out. | No | On | |
| expose_php | Misc Decides whether PHP may expose the fact that it is installed on the server (e.g. by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not. | No | Off | |
| max_execution_time | Maximum execution time of each script, in seconds | Yes | 30 | |
| max_input_nesting_level | Maximum nesting of arrays created from POST/GET data | Yes | 64 | |
| error_reporting | error_reporting is a bit-field. Or each number up to get desired error reporting level
|
Yes | E_ALL & ~E_NOTICE & ~E_STRICT | |
| display_errors | Print out errors (as a part of the output). For production web sites, you're strongly
encouraged to turn this feature off, and use error logging instead (see below). Keeping
display_errors enabled on a production web site may reveal security information to end users, such
as file paths on your Web server, your database schema or other information. Possible values for
display_errors:
|
Yes | On | Value of stderr is not supported. |
| display_startup_errors | Even when display_errors is on, errors that occur during PHP's startup sequence are not displayed. It's strongly recommended to keep display_startup_errors off, except for when debugging. | Yes | Off | |
| log_errors | Log errors into a log file (server-specific log, stderr, or error_log) As stated above, you're strongly advised to use error logging in place of error displaying on production web sites. | Yes | Off | |
| log_errors_max_len | Set maximum length of log_errors. In error_log information about the source is added. The default is 1024 and 0 allows to not apply any maximum length at all. | Yes | 1024 | |
| ignore_repeated_errors | Do not log repeated messages. Repeated errors must occur in same file on same line until ignore_repeated_source is set true. | Yes | Off | |
| ignore_repeated_source | Ignore source of message when ignoring repeated messages. When this setting is On you will not log errors with repeated messages from different files or source lines. | Yes | Off | |
| track_errors | Store the last error/warning message in $php_errormsg (boolean). Note: track_errors imposes a significant performance overhead and should be avoided for production deployments. | Yes | Off | |
| html_errors | Disable the inclusion of HTML tags in error messages. Note: Never use this feature for production boxes. | Yes | On | |
| docref_root | If html_errors is set On PHP produces clickable error messages that direct to a page describing the error or function causing the error in detail. You can download a copy of the PHP manual from http://www.php.net/docs.php and change docref_root to the base URL of your local copy including the leading '/'. You must also specify the file extension being used including the dot. Note: Never use this feature for production boxes. | Yes | ||
| docref_ext | If html_errors is set On PHP produces clickable error messages that direct to a page describing the error or function causing the error in detail. You must specify the file extension being used including the dot. | Yes | ||
| error_prepend_string | String to output before an error message. | Yes | ||
| error_append_string | String to output after an error message. | Yes | ||
| error_log | Log errors to specified file. | Yes | A value of syslog is not supported. | |
| arg_separator.output | The separator used in PHP generated URLs to separate arguments. | Yes | & | |
| arg_separator.input | List of separator(s) used by PHP to parse input URLs into variables. NOTE: Every character in this directive is considered as separator! | Yes | & | |
| register_globals | Whether or not to register the EGPCS variables as global variables. You may want to turn this off if you don't want to clutter your scripts' global scope with user data. This makes most sense when coupled with track_vars - in which case you can access all of the GPC variables through the $HTTP_*_VARS[], variables. You should do your best to write your scripts so that they do not require register_globals to be on; Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of. | No | Off | |
| register_long_arrays | Whether or not to register the old-style input arrays, HTTP_GET_VARS and friends. If you're not using them, it's recommended to turn them off, for performance reasons. | No | Off | |
| register_argc_argv | This directive tells PHP whether to declare the argv&argc variables (that would contain the GET information). If you don't use these variables, you should turn it off for increased performance. | No | Off | |
| auto_globals_jit | When enabled, the SERVER and ENV variables are created when they're first used (Just In Time) instead of when the script starts. If these variables are not used within a script, having this directive on will result in a performance gain. The PHP directives register_globals, register_long_arrays, and register_argc_argv must be disabled for this directive to have any affect. | No | On | |
| magic_quotes_gpc | Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all single-quote, double quote, backslash and NULs are escaped with a backslash automatically. | Yes | Off | |
| include_path | Path to search for include files LINIX: "/path1:/path2" Windows: "\path1;\path2" | Yes | ||
| user_dir | The directory under which PHP opens the script using /~username used only if nonempty. | No | ||
| extension_dir | Directory in which the native loadable extensions (modules) reside. The JVM variable java.library.path is also searched for native loadable extensions. Java loadable extensions are found using the classpath and not this directive. | Yes | Only used to find native loadable extensions (dll, so, dylib) and not extensions written in Java. Native loadable extensions can also be in a directory specified on the java.library.path. | |
| enable_dl | Whether or not to enable the dl() function. | Yes | On | |
| file_uploads | Whether to allow HTTP file uploads. | No | On | |
| upload_tmp_dir | Temporary directory for HTTP uploaded files (will use system default if not specified). | No | ||
| upload_max_filesize | Maximum allowed size for uploaded files. | Yes | 2M | |
| extension | If you wish to have an extension loaded automatically, use the following syntax: For extensions written in Java use: extension=java_class_name For extensions written in C use: extension=extension_name For example: extension=php_gd. The appropriate filesystem extension (.dll, .so) will automatically be appended. Note that it should be the name of the module only; no directory information needs to go here. Specify the location of the extension with the extension_dir directive above. | Yes | ||
| unicode.runtime_encoding | Runtime encoding is used when a PHP string is converted into a Java string. Internally, the PHP runtime preserves the ability to store binary data in a PHP string, which is essential for full support of the PHP 5 language. The runtime encoding is used when a PHP string is explicitly converted to a Java string, such as when it is stored in the global context as described in PHP global context reference. Default: UTF-8 Differences: | Yes | ||
| unicode.script_encoding | Script encoding defines how the PHP file is encoded. This must be correctly set in order for string literals and PHP names, such as function, variable and class names, to be correctly parsed by the runtime. Default: UTF-8 | Yes | ||
| date.timezone | Defines the default timezone used by the date functions | Yes | ||
| date.default_longitude | date.default_latitude = 31.7667 | Yes | ||
| date.sunset_zenith | date.sunrise_zenith = 90.583333 | Yes | ||
| iconv.output_encoding | iconv.input_encoding = ISO-8859-1iconv.internal_encoding = ISO-8859-1 | Yes | ||
| pcre.backtrack_limit | PCRE library backtracking limit. | Yes | ||
| pcre.recursion_limit | PCRE library recursion limit.Please note that if you set this value to a high number you may consume allthe available process stack and eventually crash PHP (due to reaching thestack size limit imposed by the Operating System). | Yes | ||
| mysql.allow_persistent | Allow or prevent persistent links. | Yes | ||
| mysql.max_persistent | Maximum number of persistent links. -1 means no limit. | Yes | ||
| mysql.max_links | Maximum number of links (persistent + non-persistent). -1 means no limit. | Yes | ||
| mysql.default_port | Default port number for mysql_connect(). If unset, mysql_connect() will use the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the compile-time value defined MYSQL_PORT (in that order). Win32 will only look at MYSQL_PORT. | Yes | ||
| mysql.default_socket | Default socket name for local MySQL connects. If empty, uses the built-in MySQL defaults. | Yes | ||
| mysql.default_host | Default host for mysql_connect() (doesn't apply in safe mode). | Yes | ||
| mysql.default_user | Default user for mysql_connect() (doesn't apply in safe mode). | Yes | ||
| mysql.default_password | Default password for mysql_connect() (doesn't apply in safe mode). Note that this is generally a *bad* idea to store passwords in this file. *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") and reveal this password! And of course, any users with read access to this file will be able to reveal the password as well. | Yes | ||
| mysql.connect_timeout | Maximum time (in seconds) for connect timeout. -1 means no limit | Yes | ||
| mysql.trace_mode | Trace mode. When trace_mode is active (=On), warnings for table/index scans and SQL-Errors will be displayed. | Yes | ||
| session.save_handler | Handler used to store/retrieve data. For WebSphere sMash you should use zerouserzone. This will enable session information to be stored in the Global context user zone. This will mean the zsessionid cookie will be used to track sessions, and not the values given in this php.ini file. It also means that session timeouts will be controlled by the settings in the zero.config, i.e. /config/userZone/idleTimeout and /config/userZone/invalidationTimeout | Yes | ||
| session.save_path | Argument passed to save_handler. In the case of files, this is the path where data files are stored. Note: Windows users have to change this variable in order to use PHP's session functions. As of PHP 4.0.1, you can define the path as: session.save_path = "N;/path" where N is an integer. Instead of storing all the session files in /path, what this will do is use subdirectories N-levels deep, and store the session data in those directories. This is useful if you or your OS have problems with lots of files in one directory, and is a more efficient layout for servers that handle lots of sessions. NOTE 1: PHP will not create this directory structure automatically. You can use the script in the ext/session dir for that purpose. NOTE 2: See the section on garbage collection below if you choose to use subdirectories for session storage The file storage module creates files using mode 600 by default. You can change that by using session.save_path = "N;MODE;/path" where MODE is the octal representation of the mode. Note that this does not overwrite the process's umask. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.use_cookies | Whether to use cookies. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.cookie_secure | Specifies whether cookies should only be sent over secure connections. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.use_only_cookies | This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs; defaults to 0. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.name | Name of the session (used as cookie name). | Yes | ||
| session.auto_start | Initialize session on request startup. | Yes | ||
| session.cookie_lifetime | Lifetime in seconds of cookie or, if 0, until browser is restarted. | Yes | ||
| session.cookie_path | The path for which the cookie is valid. | Yes | ||
| session.cookie_domain | The domain for which the cookie is valid. | Yes | ||
| session.cookie_httponly | Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible torowser scripting languages such as JavaScript. | Yes | ||
| session.serialize_handler | Handler used to serialize data. php is the standard serializer of PHP. | Yes | ||
| session.gc_probability | Define the probability that the 'garbage collection' process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.gc_divisor | Define the probability that the 'garbage collection' process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.gc_maxlifetime | After this number of seconds, stored data will be seen as 'garbage' and cleaned up by the garbage collection process. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.referer_check | Check HTTP Referer to invalidate externally stored URLs containing ids. HTTP_REFERER has to contain this substring for the session to be considered as valid. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.cache_limiter | Set to {nocache,private,public,} to determine HTTP caching aspects or leave this empty to avoid sending anti-caching headers. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| session.cache_expire | Document expires after n minutes. | Yes | This option is not used when session.save_handler = zerouserzone. | |
| mbstring.internal_encoding | internal/script encoding. Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) | Yes | ||
| gd.jpeg_ignore_warning | Tell the jpeg decode to libjpeg warnings and try to create a gd image. The warning will then be displayed as notices disabled by default | Yes |
