Searching...
Saturday 8 June 2013
Naveen Jamdagani
12:38 pm
0 comments

PHP’s CONFIGURATION DIRECTIVES - Part 3

Home » Configuration Directives » configure php » Data Handling » function » PHP » php basics » php.ini » variables » PHP’s CONFIGURATION DIRECTIVES - Part 3
PHP’s CONFIGURATION DIRECTIVES

The directives are introduced as they appear in php.ini file. This might be boring, but it's needed so read it carefully. Have it your way!!!

Note:-  Error Handling and Logging and File Uploads directives are not discussed  here as per your comfort. I will be introducing them on the go.


DATA HANDLING

The parameters introduced in this section affect the way that PHP(official website) handles external variables, passed into the script via some outside source. GET, POST, cookies, the operating system, and the server. Other parameters located in this section determine PHP’s default character set, PHP’s default MIME type, and whether external files will be automatically prepended or appended to PHP’s returned output.

arg_separator.output = string
Scope: PHP_INI_ALL; Default value: &

PHP is capable of automatically generating URLs and uses the standard ampersand (&) to separate input variables. To override this convention arg_separator.output directive is used.

arg_separator.input = string
Scope: PHP_INI_ALL; Default value: ;&;

The ampersand (&) is the standard character used to separate input variables passed in via the POST or GET methods. You can override this by using the arg_separator.input directive.

variables_order = string
Scope: PHP_INI_ALL; Default value: GPCS

The variables_order directive determines the order in which the ENVIRONMENT, GET, POST, COOKIE, and SERVER variables are parsed. While seemingly irrelevant, if register_globals is enabled (not recommended), the ordering of these values could result in unexpected results due to later variables overwriting those parsed earlier in the process.

register_globals = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off

If you have used a pre-4.0 version of PHP, the mere mention of this directive is enough to evoke gnashing of the teeth and pulling of the hair. To eliminate the problems, this directive was disabled by default in version 4.2.0, but at the cost of forcing many long-time PHP users to entirely rethink (and in some cases rewrite) their web application development methodology. This change ultimately serves the best interests of developers in terms of greater application security. If you’re new to all of this, what’s the big deal?
Historically, all external variables were automatically registered in the global scope. That is, any incoming variable of the types COOKIE, ENVIRONMENT, GET, POST, and SERVER were made available globally. Because they were available globally, they were also globally modifiable. For example, suppose that a session identifier uniquely identifying the user is communicated across pages via a cookie. Nobody but that user should see the data that is ultimately mapped to the user identified by that session identifier. A user could open the cookie, copy the session identifier, and paste it onto the end of the URL, like this:

http://www.example.com/secretdata.php?sessionid=4x5bh5H793adK

The user could then e-mail this link to some other user. If there are no other security restrictions in place (e.g., IP identification), this second user will be able to see the otherwise confidential data.
Disabling the register_globals directive prevents such behavior from occurring. Although disabling register_globals is unequivocally a good idea, it isn’t the only factor you should keep in mind when you secure an application.

Note:- The register_globals feature has been a constant source of confusion and security-related problems over the years. Accordingly, it has been deprecated as of PHP 5.3.0.

register_long_arrays = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off

This directive determines whether to continue registering the various input arrays (ENVIRONMENT, GET, POST, COOKIE, SYSTEM) using the deprecated syntax, such as HTTP_*_VARS. Disabling this directive is recommended for performance reasons.

Note:- The register_long_arrays directive has been deprecated as of PHP 5.3.0.

register_argc_argv = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off

Passing in variable information via the GET method is analogous to passing arguments to an executable. Many languages process such arguments in terms of argc and argv. argc is the argument count, and argv is an indexed array containing the arguments. If you would like to declare variables $argc and $argv and mimic this functionality, enable register_argc_argv.

post_max_size = integerM
Scope: PHP_INI_SYSTEM; Default value: 8M

Of the two methods for passing data between requests, POST is better equipped to transport large amounts, such as what might be sent via a web form. However, for both security and performance reasons, you might wish to place an upper ceiling on exactly how much data can be sent via this method to a PHP script; this can be accomplished using post_max_size.


WORKING WITH SINGLE AND DOUBLE QUOTES 
Quotes, both of the single and double variety, have long played a special role in programming. Because they are commonly used both as string delimiters and in written language, you need a way to differentiate between the two in programming to eliminate confusion. The solution is simple: escape any quote mark not intended to delimit the string. If you don’t do this, unexpected errors could occur. Consider the following:
$sentence = "John said, "I love racing cars!"";
Which quote marks are intended to delimit the string and which are used to delimit John’s utterance? PHP doesn’t know unless certain quote marks are escaped, like this:
$sentence = "John said, \"I love racing cars!\"";
Escaping nondelimiting quote marks is known as enabling magic quotes. This process could be done either automatically, by enabling the directive magic_quotes_gpc , or manually, by using the functions addslashes() and stripslashes(). The latter strategy is recommended because it gives you total control over the application (although in those cases where you’re trying to use an application in which the automatic escaping of quotations is expected, you’ll need to enable this behavior accordingly).
However, because this feature has long been a source of confusion among developers, it’s been deprecated as of PHP 5.3.0.

magic_quotes_gpc = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off

This parameter determines whether magic quotes are enabled for data transmitted via the GET, POST, and cookie methodologies. When enabled, all single and double quotes, backslashes, and null characters are automatically escaped with a backslash.

magic_quotes_runtime = On | Off
Scope: PHP_INI_ALL; Default value: Off

Enabling this parameter results in the automatic escaping (using a backslash) of any quote marks located within data returned from an external resource, such as a database or text file.

magic_quotes_sybase = On | Off
Scope: PHP_INI_ALL; Default value: Off

This parameter is only of interest if magic_quotes_runtime is enabled. If magic_quotes_sybase is enabled, all data returned from an external resource will be escaped using a single quote rather than a backslash. This is useful when the data is being returned from a Sybase database, which employs a rather unorthodox requirement of escaping special characters with a single quote rather than a backslash.

auto_prepend_file = string
Scope: PHP_INI_SYSTEM; Default value: NULL

Creating page header templates or including code libraries before a PHP script is executed is most commonly done using the include() or require() function. You can automate this process and forgo the inclusion of these functions(more about functions in php) within your scripts by assigning the file name and corresponding path to the auto_prepend_file directive.

auto_append_file = string
Scope: PHP_INI_SYSTEM; Default value: NULL

Automatically inserting footer templates after a PHP script can be automated by assigning the template file name and corresponding path to the auto_append_file directive.

default_mimetype = string
Scope: PHP_INI_ALL; Default value: text/html

MIME types offer a standard means for classifying file types on the Internet. You can serve any of these file types via PHP applications, the most common of which is text/html.

default_charset = string
Scope: PHP_INI_ALL; Default value: NULL

As of version 4.0, PHP outputs a character encoding in the Content-Type header. By default the character encoding in the Content-Type header is set to iso-8859-1, which supports languages such as English, Spanish, German, Italian, and Portuguese, among others. If your application is geared toward languages such as Japanese, Chinese, or Hebrew, however, the default_charset directive allows you to update this character set setting accordingly.

always_populate_raw_post_data = On | Off
Scope: PHP_INI_PERDIR; Default value: Off

Enabling this directive causes PHP to assign a string consisting of POSTed name/value pairs to the variable $HTTP_RAW_POST_DATA, even if the form variable has no corresponding value. For example, suppose this directive is enabled and you create a form consisting of two text fields, one for the user’s name and another for the user’s e-mail address. In the resulting form action, you execute just one command:

echo $HTTP_RAW_POST_DATA;

Filling out neither field and clicking the Submit button results in the following output:


name=&email=


Filling out both fields and clicking the Submit button produces output similar to the following:


name=jason&email=jason%40example.com


Posted by Naveen Jamdagani at 12:38 pm
Labels: , , , , , , ,
Location: Rohtak, Haryana, India
Share This To :

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Back to top!