PHP insecure by default

Jason Aeschilman jason at
Mon Jun 28 22:43:35 UTC 2004

From: "Adam Voigt"
> On Mon, 2004-06-28 at 18:07, Jason Aeschilman wrote:
> > Why is PHP insecure by default on FC1?  Is it because it's not for
> > production use?  It uses a php.ini that is only suited for development,
> > production use.  I ended up grabbing the "php.ini-recommended" file from
> > official release of PHP-4.3.6 and made a couple Fedora-related changes
to it
> > (diff helped out here).
> >
> > J.A.K.E.
> > [ jake1138 AT yahoo DOT com ]
> lol, I must say you did a very good job of being as vague as possible
> and not illustrating your point in any way.

You're right, but I did get the discussion started.  All one needs to do is
read the comments in php.ini.  When the comments say, "don't do this in a
production environment" or "don't use this file in a production
environment", then that in of itself makes the point.  If you look at
php.ini-recommended, you'll learn even more.  Part of my reasoning for even
mentioning this here is to make people aware.  Here is the "diff php.ini
php.ini-recommended".  For those who haven't used diff before, the lines
preceded by "<" are from php.ini, the lines preceded by ">" are from

< output_buffering = Off
> output_buffering = 4096

< allow_call_time_pass_reference = On
> allow_call_time_pass_reference = Off

< error_reporting  =  E_ALL & ~E_NOTICE
> error_reporting  =  E_ALL

< display_errors = On
> display_errors = Off

< log_errors = Off
> log_errors = On

< variables_order = "EGPCS"
> variables_order = "GPCS"

< register_argc_argv = On
> register_argc_argv = Off

< magic_quotes_gpc = On
> magic_quotes_gpc = Off

< extension_dir = /usr/lib/php4
> extension_dir = "./"

< sendmail_path = /usr/sbin/sendmail -t -i
> ;sendmail_path =

< dbx.colnames_case = "unchanged"
> dbx.colnames_case = "lowercase"

< session.save_path = /tmp
> ;session.save_path = /tmp

< session.gc_divisor     = 100
> session.gc_divisor     = 1000

< session.bug_compat_42 = 1
> session.bug_compat_42 = 0

< url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
> url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

To make php.ini-recommended work for Fedora, I changed this line:

extension_dir = /usr/lib/php4

[ jake1138 AT yahoo DOT com ]

More information about the fedora-list mailing list