{
    "slug": "php_ini",
    "term": "php.ini Security Settings",
    "category": "php",
    "difficulty": "intermediate",
    "short": "Critical php.ini directives that harden PHP applications by disabling dangerous features and restricting runtime behaviour.",
    "long": "Key security settings in php.ini include: display_errors=Off and log_errors=On (prevent information leakage), expose_php=Off (hides version), allow_url_include=Off (prevents RFI), disable_functions listing dangerous functions (exec, system, passthru, shell_exec), open_basedir restricting file access to the application directory, session.use_strict_mode=On and session.cookie_httponly=On (session security), post_max_size and upload_max_filesize (DoS prevention). Review settings regularly as PHP defaults favour development over security.",
    "aliases": [
        "php.ini",
        "PHP configuration file",
        "PHP runtime settings"
    ],
    "tags": [
        "php",
        "configuration",
        "devops",
        "security"
    ],
    "misconception": "php.ini settings apply uniformly to all PHP processes on a server. Settings can be overridden per-directory with .htaccess, per-virtualhost, per-pool in PHP-FPM, and at runtime with ini_set() — understanding the INI_ALL/INI_SYSTEM/INI_PERDIR permission levels is essential for debugging unexpected behaviour.",
    "why_it_matters": "php.ini controls PHP's runtime behaviour at the server level — misconfigured settings silently affect security, performance, and error visibility across every script.",
    "common_mistakes": [
        "Not having separate php.ini for CLI and FPM — they often need different memory_limit and timeout values.",
        "Leaving expose_php = On — the X-Powered-By header advertises your PHP version to attackers.",
        "Not setting session.cookie_secure, session.cookie_httponly, and session.cookie_samesite at the php.ini level as defaults.",
        "Using large upload_max_filesize without corresponding post_max_size — POST data is silently truncated."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "security_misconfiguration",
        "allow_url_fopen",
        "session"
    ],
    "prerequisites": [
        "php_fpm",
        "opcache",
        "error_handling"
    ],
    "refs": [
        "https://www.php.net/manual/en/ini.list.php",
        "https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html"
    ],
    "bad_code": "; php.ini security issues:\nexpose_php = On           ; Advertises PHP version\ndisplay_errors = On       ; Stack traces to users in production\nallow_url_include = On    ; Enables remote file inclusion\nregister_globals = On     ; Removed in PHP 5.4 but shows config hygiene issues\nsession.cookie_httponly = 0 ; Cookies readable by JS",
    "good_code": "; Key php.ini settings\n\n; Development:\nerror_reporting        = E_ALL\ndisplay_errors         = On\ndisplay_startup_errors = On\n\n; Production:\nerror_reporting  = E_ALL & ~E_DEPRECATED & ~E_STRICT\ndisplay_errors   = Off    ; CRITICAL — never expose to users\nlog_errors       = On\nerror_log        = /var/log/php/error.log\nexpose_php       = Off    ; hides X-Powered-By header\nmax_execution_time = 30\nmemory_limit     = 256M\nupload_max_filesize = 10M\npost_max_size    = 12M\ndate.timezone    = UTC\n\n; Check active settings at runtime:\nini_get('memory_limit'); // specific value\nphpinfo();               // full page — NEVER in production",
    "quick_fix": "Production php.ini checklist: display_errors=Off, log_errors=On, expose_php=Off, upload_max_filesize match your needs, memory_limit=256M, opcache.enable=1",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/php_ini",
        "html_url": "https://codeclaritylab.com/glossary/php_ini",
        "json_url": "https://codeclaritylab.com/glossary/php_ini.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[php.ini Security Settings](https://codeclaritylab.com/glossary/php_ini) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php_ini"
            }
        }
    }
}