Basics of php.ini
It basically consists of key-value pairs. Any line starts with a ; (semicolon) is a comment. Except comment and blank lines, all the others are active settings. You can open this file in a text editor.
Before changing any setting, it’s a good practice to backup your original php.ini file. Otherwise if you made an error in the file (mistyped) then your whole PHP installation won’t work. After making a change, to take effect that change, you will have to restart your web server.
Let’s take a look at some basic settings.
You know that any PHP code should reside between <?php and ?> tags. Making this setting ‘On’ allows you to put PHP code between <? and ?> omitting the ‘php’ part in the opening tag.
However using short open tags is a bad practice since in some PHP installations this might have been disabled. Thus your application won’t work in those servers.
But default tags would work in any PHP installation. To make sure that you write portable code from the begging, set the value of this setting to ‘Off’.
This tells the maximum time a script can take to process. You have to set the setting in seconds. Usually value is 30 or 60. This can prevent badly written code hanging the web server.
After mentioned seconds, if PHP parser is still unable to produce the output, it would stop the execution and will throw an error saying the script reached maximum execution time.
However there may be cases that you are sure the code is correct and you just need bit more time (like in a data importing). In such cases, you may increase the value. But keep in mind that a certain script needs more than a minute to execute means it needs improvement (if it’s a data importing, think about doing it part by part etc).
This setting specifies the maximum runtime memory a script can consume. Value is set in megabytes and default value is usually ‘16M’. As max_execution_time, you may increase the limit but it implies necessary improvements in your PHP script.
Usually default value of this setting is ‘Off’. Turning this ‘On’ allows to use form submitted data ($_GET and $_POST), cookies ($_COOKIE) and server variables ($_SERVER) to use in global scope.
For an example, if there is a form field called firstName and if the form uses post method to submit the form to the server then at the server you have to access that value as $_POST['firstName'] (that is using $_POST array). But if you turn this option ‘On’ then you can access the value by just $firstName.
Even though this looks cool, it can lead to security issues and conflicts with your custom variables. This setting is deprecated in PHP version 5.3.0 and is removed in version 6.0.0. That means you will have to access mentioned values via their respective built-in arrays.
PHP manual mentions that it’s architecturally incorrect to take this decision at PHP level and this setting is deprecated in PHP version 5.3.0 and is removed in version 6.0.0. Thus its default value is ‘Off’.
Deprecated and Removed Settings
When you go through some php.ini settings in PHP manual, you would find that some settings are marked as deprecated and/or removed from a certain version. Sometimes it may not provide enough information to understand the behavior after a particular setting is removed.
What you can do to get that understanding is to look at the current default value of the setting (PHP manual mentions it). If it is ‘On’ that means after the specified version, the setting is ‘On’ by default and vice versa. You would find that most of to-be-removed settings are ‘Off’ at default. For an example register_globals and safe_mode are ‘Off’ by default.
This means after PHP version 6.0.0, you can no longer access form submitted data (and other mentioned data) in global level without going through their respective built-in arrays and no function would be prevented via PHP safe mode and that you have to do necessary restrictions at web server level.