Freigeben über


php.ini Einstellungen für PHP auf Windows

Für alle die ab und an php auf windows manuell einrichten und sich fragen welche settings man nochmal am besten in der php.ini Datei machen sollte.

Setting

Description

safe_mode=Offsafe_mode_gid=Off

Disable safe mode

open_basedir="c:\inetpub\"

Restrict where PHP processes can read and write on a file system.

expose_php=Off

Hide presence of PHP

max_execution_time=30max_input_time=60

Limit script execution time

memory_limit=16Mupload_max_filesize=2Mmax_input_nesting_levels=64

Limit memory usage and file sizes

display_errors=Offlog_errors=Onerror_log="C:\path\of\your\choice\error.log"

Configure error messages and logging. You can set display_errors=On for developer machine on a server you should turn it off.

Make sure the IIS application pool identity has write access to the log file.

register_globals=Off

This setting disables register_globals, which prevents PHP from injecting your scripts with global variables that are defined based on Web request data.

post_max_size=8M

Sets max size of post data allowed. This setting also affects file upload.

extension_dir

This setting specifies a location for PHP extensions. Typically for PHP 5.2.x,you use the following values for this setting: extension_dir="./ext" -or- extension_dir="C:\Program Files\PHP\ext"

cgi.force_redirect=0

You must turn this off under IIS. Left undefined, PHP will turn this on by default. IIS takes care of CGI handling.

cgi.fix_pathinfo=1

This provides PATH_INFO/PATH_TRANSLATED support for CGI. The previous behavior of the PHP CGI module was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to ignore the PATH_INFO setting. For information about PATH_INFO, see the CGIspecification. Changing this setting to 1 causes the PHP CGI to fix its paths toconform to the specification.

fastcgi.impersonate=1

FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This setting allows IIS to define the security context that the request runs under. |

fastcgi.logging=0

A PHP request to the IIS FastCGI module will fail if any data is sent on stderr by using the FastCGI protocol. DisablingFastCGI logging prevents PHP from send- ing error information over stderr, whichprevents the Web server from sending HTTP 500 response codes to the client.

upload_tmp_dir

The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system's default (%systemroot%\temp).

Sample: upload_tmp_dir="C:\php\tmp"

allow_url_fopen=Offallow_url_include=Off

Disable remote URLs for file handling functions, which may cause code injection vulnerabilities.

date.timezone

The default timezone used by all date/time functions if the TZ environment variable isn't set. The precedence order is described in the date_default_timezone_get() page. See List of Supported Timezones for a list of supported timezones.

Annot: Seen this to cause http 500 errors on iis via fastcgi if missing. Sample value e.g. date.timezone = "Europe/Berlin"

session.save_path

session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. This directory must not be a world-readable directory (i.e. don't publish via WWW)

Sample: session.save_path ="C:\php\session"

Quellen:

https://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-70/#PHP_Security_Recommendations_

https://www.phparch.com/c/magazine/issue/97

Comments