This is an overview of the recommended directives for your application. The most important directives have been collected here, for a quick review. The whole list of directive is available as a link to the manual, when applicable. When an extension is missing from the list below, either it as no specific configuration directive, or it is not used by the current code.
| Directive | Suggestion | Description |
|---|---|---|
| date | ||
| date.timezone | Europe/Amsterdam | It is not safe to rely on the system's timezone settings. Make sure the directive date.timezone is set in php.ini. |
| file | ||
| allow_url_fopen | Off | Unless you need to access remote files, it is better to be safe and forbid this feature |
| realpath_cache_size | 128k | Determines the size of the realpath cache to be used by PHP. The default value of "16k" is usually too low for modern application that open many files (autoload, fopen, filet_get_contents...). It is recommended to make this value up to 128 to 256k, and reduce it by testing with realpath_cache_get(). |
| realpath_cache_ttl | 3600 | Duration of time (in seconds) for which to cache realpath information for a given file or directory. If the application's code doesn't change too often, you may set this directive to 3600 (one hour) or even more. |
| Extra configurations | File System runtime configuration | |
| SMTP | localhost | Used under Windows only: the host that will be sending the mail. |
| smtp_port | 25 | Used under Windows only: the port on the host that will be sending the mail. |
| sendmail_path | /usr/sbin/sendmail -t -i | The location of the mail sending program (here, smtp, but it may also be qmail or else). Configure will try to locate smtp, but if it fails, you may set this directive correctly. |
| sendmail_from | your-email@your-domain.com | Indicates an origin for any mail being send with PHP. This should be set, so as to avoid being mistaken as spam, and provide an with which communicate in case of any problem. |
| mail.log | /var/log/phpmail.log | Keep log of mails being send with PHP. Be careful if the data being send are sensitive (destination is noted). |
| mail.add_x_header | your-domain.com | Adds a special X-PHP-Originating-Script headers, providing more information on the origin of the mail, but which will be mostly hidden from the final reader (unless it checks the mail headers). |
| Extra configurations | Mail runtime configuration | |
| mbstring | ||
| default_charset | UTF-8 | This directive handle encoding for input, internal and output. default_charset |
| mbstring.internal_encoding | Do not rely on it | This directive is deprecated or removed since PHP 5.6. It is recommended to use the "default_charset" directive instead. |
| Extra configurations | mbstring runtime configuration | |
| ob | ||
| output_buffering | 4096 | You can enable output buffering for all files by setting this directive to 'On'. If you wish to limit the size of the buffer to a certain size - you can use a maximum number of bytes instead of 'On', as a value for this directive (e.g., output_buffering=4096). As of PHP 4.3.5, this directive is always Off in PHP-CLI. |
| output_handler | mb_output_handler or ob_iconv_handler(), ob_gzhandler() or zlib.output_compression; | Use the first suggested values to handle character encoding. Use the second values for on the fly compression; Use your own function if you have one. |
| implicit_flush | False | Changing this to TRUE tells PHP to tell the output layer to flush itself automatically after every output block : this has performances penalty. |
| pcre | ||
| Extra configurations | PCRE runtime configuration | |
| pdo | ||
| Extra configurations | PDO runtime configuration | |
| standard | ||
| memory_limit | 120 | This sets the maximum amount of memory in bytes that a script is allowed to allocate. This helps prevent poorly written scripts for eating up all available memory on a server. It is recommended to set this as low as possible and avoid removing the limit. |
| max_execution_time | 90 | This sets the maximum amount of time, in seconds, that a script is allowed to run. The lower the value, the better for the server, but also, the better has the script to be written. Avoid really large values that are only useful for admin, and set them per directory. |
| expose_php | Off | Exposes to the world that PHP is installed on the server. For security reasons, it is better to keep this hidden. |
| display_errors | Off | This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user. |
| error_reporting | E_ALL | Set the error reporting level. Always set this high, so as to have the errors reported, and logged. |
| log_errors | On | Always log errors for future use |
| error_log | Name of a writable file, suitable for logging. | Name of the file where script errors should be logged. |
| Extra configurations | Standard runtime configuration | |
| Enable DL | ||
| enable_dl | Off | Whether or not to enable the dl() function. The dl() function does NOT work properly in multithreaded servers, such as IIS or Zeus, and is automatically disabled on them. |
| Disable features | ||
| disable_functions | exec, passthru, shell_exec, system, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, popen, pclose, curl_exec, curl_multi_exec, show_source, symlink, fsockopen, pfsockopen, socket_connect, socket_create_listen, socket_create_pair, socket_create, symlink, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, dl, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid | This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. ; 1 sensitive functions were found in the code. Don't disable those : mail |
| disable_classes | phar | This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini. ; 1 sensitive classes were found in the code. Don't disable those : |
| File Upload | ||
| upload_max_filesize | 2M | This is the maximum uploaded size. It is recommended to keep this value as low as possible. |
| max_file_uploads | 1 | This is the maximum number of uploaded files in a single request. |
| upload_tmp_dir | /tmp/php_upload | Upload directory where PHP stores the temporary files. It is recommended to set this value, and separate it from other temporary directories. |
| post_max_size | 2M | This is the maximum amount of data that PHP will accept in a POST request. It has to be higher or equal to upload_max_filesize. For security reasons, it should be as low as possible, to prevent PHP using too much memory. |