You are currently viewing Zend Server 5.x documentation. Click here to view the latest Zend Server online documentation.
You are currently viewing Zend Server 5.x documentation. Click here to view the latest Zend Server online documentation.You may be able to add an additional security boost to your PHP applications by properly configuring your PHP runtime environment settings. You can edit the directives below from the Administration Interface by going to Server Setup | Directives.
Warning:
Changing some of these settings may cause certain PHP Applications to stop functioning. Therefore, use discretion while disabling them and test you environment - it is important that you fully understand the purpose of each directive before modifying it.
Optimal php.ini configurations and settings for maximum security protection from external threats:
|
Name |
Default |
Optimal Value |
Description |
|
disable_functions |
|
|
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in the php.ini file: For example, you cannot set this in httpd.conf. |
|
disable_classes |
|
|
This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. The disable_classes directive is not affected by Safe Mode. This directive must be set in php.ini: For example, you cannot set this in httpd.conf. |
|
magic_qotes_gpc |
0 |
0 |
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quotes), " (double quotes), \ (backslash) and NULLs are escaped with a backslash, automatically. |
|
allow_url_include |
0 |
0 |
This option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once(). Note: This setting requires that allow_url_fopen be set to On. |
|
expose_php |
1 |
0
|
Decides whether PHP may expose the fact that it is installed on the server (e.g., by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not. |
|
display_errors |
1 |
0 |
This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user. Value "stderr" sends the errors to stderr instead of stdout. The value is available as of PHP 5.2.4. In earlier versions, this directive was of type boolean. Note: This is a feature to support your development and should never be used on production systems (e.g., systems connected to the Internet). Note: Although display_errors may be set at runtime (with ini_set()), it won't have any affect if the script has fatal errors. This is because the desired runtime action does not get executed. |
|
register_globals |
0 |
0 |
Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. Relying on this feature is highly discouraged. Please read the security chapter in the PHP manual on Using register_globals for related information. Note: register_globals is affected by the variables_order directive. |
© 1999-2013 Zend Technologies, Ltd. All rights reserved.