This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values.
If this directive is not set, variables_order is used for $_REQUEST contents.
kghbln Thank you very much you really help me with this mate ! I just
start my Hosting Company and i need to protect server from web shells
like: c100.php and many other but i also need phpmyadmin , Wordpress and
many other script to install for my customers but with base_dir on that
isn't possible, this is really help me , now i know i can allow
specific multiple directories and restrict-protect everything else !
open_basedir = "/var/www/htdocs/:/var/www/tmp/" adds both paths
/var/www/htdocs/ and /var/www/tmp/. Do not forget the trailing slash,
otherwise the last directory will be considered as a prefix (<
5.3.4).
If you need to use a path in your include_path that has a space in it - I
found that I could make it work (in windows anyway) by setting a path
like this
L:\Information Technology\Resources\lib\
in the include path like this listed below
Note that there is no way to disable eval() work by using
disable_functions directive, because eval() is a language construct and
not a function.
Many people advise to disable such potentially-insecure functions like
system(), exec(), passthru(), eval() and so on in php.ini when not
running in safe mode, but eval() would still work even it listed in
disable_functions.
This is a possible solution for a problem which seems to be a php-ini-problem but is not.
If a $_POST is used with large fields e.g. textarea's with more than
120kb characters php returns a blank screen, even if the max_post_size
is 8M.
This problem may be caused by an apache-module SecFilter.
Adding the following lines to the .htaccess solves the problem.
SecFilterEngine Off
SecFilterScanPOST Off
I know this is not a php-issue, but i'm still posting it here since it
looks like it is a php-problem and I did not find any sites or forums
offering this solution.
Amusingly, the include_path logically includes the current directory of
the running file as the last entry all the time anyways, so part of the
business about shoving "." into the include_path is spurious -- it's
"there" on the end all the time, at least in the 5.2.12 source (see
main/fopen_wrappers.c around line 503).
Note that on some Unix systems (i.e. PHP 5.1.6 on Centos 5.2) include_path in php.ini should NOT be quoted.
For example, instead of
include_path='.:/usr/share/php'
use
include_path=.:/usr/share/php
Using quotes does not cause any error message, but all of your
require_once() directives will fail (indicating that file could not be
opened) - unless full path to target file is provided.
"[..]This can be tracked in various ways, e.g. by passing the $_GET
variable to the script processing the data, i.e. <form
action="edit.php?processed=1">, and then checking if
$_GET['processed'] is set."
using PHP 4.4.8 it seems that only the $_POST array will be empty in case of the file is largen than post_max_size.
so above mentioned method does not work in my case.
i need to use $_POST['processed'] instead of $_GET['processed']
If you are having trouble getting the auto_prepend_file to work with the
command line interface make sure that you have set it in the cli
specific php.ini and that the read permission is set correctly for that
php.ini file.
If you want to display the upload limit without knowing the server configuration, this may be useful: <?php function let_to_num($v){ //This function transforms the php.ini notation for numbers (like '2M') to an integer (2*1024*1024 in this case) $l = substr($v, -1); $ret = substr($v, 0, -1);
switch(strtoupper($l)){
case 'P': $ret *= 1024;
case 'T': $ret *= 1024;
case 'G': $ret *= 1024;
case 'M': $ret *= 1024;
case 'K': $ret *= 1024;
break;
}
return $ret;
} $max_upload_size = min(let_to_num(ini_get('post_max_size')), let_to_num(ini_get('upload_max_filesize')));
echo "Maximum upload file size is ".($max_upload_size/(1024*1024))."MB."; ?> Do note however that this limit is not completely reliable; there
are other factors which need to be taken into account, such as any
other $_POST data and their size, the memory limit, and the script time
limit. This does, however, give some rough limit, and helps you avoid
"Doh!" problems where you can't figure out why your file won't upload.
:)
While the manual says that the file specified by auto_prepend_file is
included as if it were called by include(), in fact the file is included
as if it were called by require().
In other words, if PHP cannot find the file that you specify with auto_prepend_file, it will throw a fatal error.
register_long_arrays has a very odd behavior (at least in PHP 5.2):
With register_long_arrays=Off the $GLOBALS array will not contain
[_SERVER] and [_REQUEST]. They are accessible as superglobals ($_SERVER,
$_REQUEST), but they disappear from the $GLOBALS array!
I wish the documentation was more clear as to whether the
arg_separator.output character is automatically encoded when PHP outputs
it. In other words, is "&" valid or do I need to specify the
encoded character "&"? It would make sense to specify only
"&" and hope that it is encoded as needed. That way the value could
be read by other functions and encoded only when output to HTML, rather
than having to test whether it is already encoded and decode it when
necessary (for header redirection for example)
"If the size of post data is greater than post_max_size..."
It seems that a more elegant way is comparison between post_max_size and
$_SERVER['CONTENT_LENGTH']. Please note that the latter includes not
only size of uploaded file plus post data but also multipart sequences.
Leo
请发表评论