Here's a short explanation of
the configuration directives.
-
include_path
string
-
Specifies a list of directories where the
require, include,
fopen(), file(),
readfile() and file_get_contents()
functions look for files. The format is like the system's
PATH environment variable: a list of directories
separated with a colon in Unix or semicolon in Windows.
PHP considers each entry in the include path separately when looking for
files to include. It will check the first path, and if it doesn't find
it, check the next path, until it either locates the included file or
returns with a
warning
or an error.
You may modify or set your include path at runtime using
set_include_path().
Example #1 Unix include_path
include_path=".:/php/includes"
Example #2 Windows include_path
include_path=".;c:\php\includes"
Using a . in the include path allows for
relative includes as it means the current directory. However,
it is more efficient to explicitly use include
'./file' than having PHP always check the current
directory for every include.
Note:
ENV variables are also accessible in .ini files.
As such it is possible to reference the home directory using
${LOGIN} and ${USER}.
Environment variables may vary between Server APIs as those environments
may be different.
Example #3 Unix include_path using ${USER} env variable
include_path = ".:${USER}/pear/php"
-
open_basedir
string
-
Limit the files that can be accessed by PHP to the specified
directory-tree, including the file itself. This directive
is NOT affected by whether Safe Mode is
turned On or Off.
When a script tries to access the filesystem, for example using
include, or fopen(), the location of the file
is checked.
When the file is outside the specified directory-tree, PHP will refuse to access it.
All symbolic links are resolved, so it's not possible to avoid this restriction
with a symlink. If the file doesn't exist then the symlink couldn't be
resolved and the filename is compared to (a resolved) open_basedir
.
open_basedir
can affect more than just filesystem functions; for example
if MySQL is configured to use mysqlnd drivers,
LOAD DATA INFILE will be affected by open_basedir
.
Much of the extended functionality of PHP uses open_basedir in this way.
The special value .
indicates that the working directory of the script will be used as the
base-directory. This is, however, a little dangerous as the working directory
of the script can easily be changed with chdir().
In httpd.conf, open_basedir
can be turned off
(e.g. for some virtual hosts)
the same way as
any other configuration directive with "php_admin_value open_basedir
none".
Under Windows, separate the directories with a semicolon. On all
other systems, separate the directories with a colon. As an Apache
module, open_basedir
paths from parent directories are now
automatically inherited.
The restriction specified with open_basedir
is a
directory name since PHP 5.2.16 and 5.3.4. Previous versions used it
as a prefix. This means that "open_basedir
= /dir/incl" also allowed access to "/dir/include" and
"/dir/incls" if they exist. When you want to restrict access
to only the specified directory, end with a slash. For example:
open_basedir = /dir/incl/
The default is to allow all files to be opened.
Note:
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means
that if open_basedir is set to /www/ in php.ini
a script can tighten the configuration to
/www/tmp/ at run-time with
ini_set(). When listing several directories, you
can use the PATH_SEPARATOR
constant as a separator
regardless of the operating system.
-
doc_root
string
-
PHP's "root directory" on the server. Only used if
non-empty. If PHP is configured with safe mode, no files outside
this directory are served.
If PHP was not compiled with FORCE_REDIRECT, you should
set doc_root if you are running PHP as a CGI under any web
server (other than IIS). The alternative is to use the
cgi.force_redirect configuration below.
-
user_dir
string
-
The base name of the directory used on a user's home directory for PHP
files, for example public_html
.
-
extension_dir
string
-
In what directory PHP should look for dynamically loadable
extensions. See also: enable_dl,
and dl().
-
extension
string
-
Which dynamically loadable extensions to load when PHP starts up.
-
zend_extension
string
-
Name of dynamically loadable Zend extension (for example
APD) to load when PHP starts up.
-
zend_extension_debug
string
-
Variant of zend_extension
for extensions compiled with debug info prior to PHP 5.3.0.
-
zend_extension_debug_ts
string
-
Variant of zend_extension
for extensions compiled with debug info and thread safety prior to PHP
5.3.0.
-
zend_extension_ts
string
-
Variant of zend_extension
for extensions compiled with thread safety prior to PHP 5.3.0.
-
cgi.check_shebang_line
boolean
-
Controls whether CGI PHP checks for line starting
with #! (shebang) at the top of the running script.
This line might be needed if the script support running both as
stand-alone script and via PHP CGI. PHP in
CGI mode skips this line and ignores its content if
this directive is turned on.
-
cgi.fix_pathinfo
boolean
-
Provides real PATH_INFO/
PATH_TRANSLATED support for CGI.
PHP's previous behaviour was to set PATH_TRANSLATED
to SCRIPT_FILENAME, and to not grok what
PATH_INFO is. For more information on
PATH_INFO, see the CGI specs.
Setting this to 1 will cause PHP
CGI to fix its paths to conform to the spec. A
setting of zero causes PHP to behave as before. It is turned on by
default. You should fix your scripts to use
SCRIPT_FILENAME rather than
PATH_TRANSLATED.
-
cgi.force_redirect
boolean
-
cgi.force_redirect is necessary to provide security running PHP as a
CGI under most web servers. Left undefined, PHP
turns this on by default. You can turn it off at your own
risk.
Note:
Windows Users: When using IIS this option must
be turned off. For OmniHTTPD or Xitami the same applies.
-
cgi.redirect_status_env
string
-
If cgi.force_redirect is turned on, and you are not running under
Apache or Netscape (iPlanet) web servers, you may
need to set an environment variable name that PHP will look for to
know it is OK to continue execution.
Note:
Setting this variable may cause security issues,
know what you are doing first.
-
Tells PHP what type of headers to use when sending HTTP response
code. If it's set to 0, PHP sends a » RFC 3875
"Status:" header that is supported by Apache and other web servers. When this option
is set to 1, PHP will send » RFC 2616 compliant
headers.
If this option is enabled, and you are running PHP in a CGI environment (e.g. PHP-FPM)
you should not use standard RFC 2616 style HTTP status response headers, you should
instead use their RFC 3875 equivalent e.g. instead of header("HTTP/1.0 404 Not found");
you should use header("Status: 404 Not Found");
Leave it set to 0 unless you know what you're doing.
-
fastcgi.impersonate
string
-
FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
security tokens of the calling client. This allows IIS to define the
security context that the request runs under. mod_fastcgi under Apache
does not currently support this feature (03/17/2002)
Set to 1 if running under IIS. Default is zero.
-
fastcgi.logging
boolean
-
Turns on SAPI logging when using FastCGI. Default is
to enable logging.