php.ini Einstellungen für PHP auf Windows


Für alle die ab und an php auf windows manuell einrichten und sich fragen welche settings man nochmal am besten in der php.ini Datei machen sollte.


























































Setting


Description


safe_mode=Off
safe_mode_gid=Off


Disable safe mode


open_basedir=”c:\inetpub\”


Restrict where PHP processes can read and write on a file system.


expose_php=Off


Hide presence of PHP


max_execution_time=30
max_input_time=60


Limit script execution time


memory_limit=16M
upload_max_filesize=2M
max_input_nesting_levels=64


Limit memory usage and file sizes


display_errors=Off
log_errors=On
error_log=”C:\path\of\your\choice\error.log”


Configure error messages and logging. You can set display_errors=On for developer machine on a server you should turn it off.


Make sure the IIS application pool identity has write access to the log file.


register_globals=Off


This setting disables register_globals, which prevents PHP from injecting your scripts with global variables that are defined based on Web request data.


post_max_size=8M


Sets max size of post data allowed. This setting also affects file upload.


extension_dir


This setting specifies a location for PHP extensions. Typically for PHP 5.2.x,you use the following values for this setting: extension_dir=”./ext” -or- extension_dir=”C:\Program Files\PHP\ext”


cgi.force_redirect=0


You must turn this off under IIS. Left undefined, PHP will turn this on by default. IIS takes care of CGI handling.


cgi.fix_pathinfo=1


This provides PATH_INFO/PATH_TRANSLATED support for CGI. The previous behavior of the PHP CGI module was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to ignore the PATH_INFO setting. For information about PATH_INFO, see the CGIspecification. Changing this setting to 1 causes the PHP CGI to fix its paths toconform to the specification.


fastcgi.impersonate=1


FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This setting allows IIS to define the security context that the request runs under. |


fastcgi.logging=0


A PHP request to the IIS FastCGI module will fail if any data is sent on stderr by using the FastCGI protocol. DisablingFastCGI logging prevents PHP from send- ing error information over stderr, whichprevents the Web server from sending HTTP 500 response codes to the client.


upload_tmp_dir


The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system’s default (%systemroot%\temp).


Sample: upload_tmp_dir=”C:\php\tmp”


allow_url_fopen=Off
allow_url_include=Off


Disable remote URLs for file handling functions, which may cause code injection vulnerabilities.


date.timezone


The default timezone used by all date/time functions if the TZ environment variable isn’t set. The precedence order is described in the date_default_timezone_get() page. See List of Supported Timezones for a list of supported timezones.


Annot: Seen this to cause http 500 errors on iis via fastcgi if missing. Sample value e.g. date.timezone = “Europe/Berlin”


session.save_path


session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. This directory must not be a world-readable directory (i.e. don’t publish via WWW)


Sample: session.save_path =”C:\php\session”


Quellen:


http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-70/#PHP_Security_Recommendations_


http://www.phparch.com/c/magazine/issue/97

Comments (1)

  1. XkiD | Bernhard Frank's Blog : php.ini Einstellungen f??r PHP auf Windows | blog.xkid. says:

    PingBack from http://blog.xkid.ro/web-design/php/bernhard-franks-blog-phpini-einstellungen-fur-php-auf-windows.html

Skip to main content