Appendix A. Configuration Directives

Although the focus of this book is application security, there are a few configuration directives with which any security-conscious developer should be familiar. The configuration of PHP can affect the behavior of the code you write as well as the techniques that you employ, and your responsibilities might extend slightly beyond the application on occasion.

The configuration of PHP is primarily dictated by a file called php.ini. This file contains many configuration directives, and each of these affects a very specific aspect of PHP. If this file is absent, or if a particular configuration directive is absent from the file, a default value is used.

If you do not know the location of your php.ini file, you can use phpinfo() to determine where PHP expects to find it:

    <?php

    phpinfo();

    ?>

Figure A-1 illustrates that the sixth line (Configuration File (php.ini) Path) indicates the full path to php.ini. If only the path is indicated (no filename), it means PHP is unable to find php.ini at the path indicated.

The file itself is commented very well, so you can browse it to get a good idea of the options available to you. The manual is much more detailed, so I recommend visiting http://php.net/manual/ini.php if you need more information about a particular directive.

The phpinfo() function can be used to locate php.ini
Figure A-1. The phpinfo() function can be used to locate php.ini

allow_url_fopen

As illustrated ...

Get Essential PHP Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.