IntegraMOD

I'm moving this discussion from the security forum to here as this thread developed out of another conversation in there.

While discussing security issues, it came to my attention that my forum is running with NO php.ini. I am the keeper of my own server so I know this to be true. It is NOT hidden, obscured or invisible in any way.. it is simply NOT there.

So.. has someone got a decent php.ini file they would care to share that I can pop in. I had though about starting with the php.ini-recommended but then thought I'd post this message and ask for some else's file or recommendations before doing this.

Thx

ummm... I didn't think PHP would work without a php.ini in the system path somewhere
Is your server Windows or *NIX?

if you have php installed and running, then you have a php.ini. The suffix .ini means that it initiallizes php. Without it, there is nothing to tell php how to start.

To reply to both previous emails, my server is a Windows 2003 server.

Please don't be so dismissive of this situtation. I am telling you that indeed this php IS running without a php.ini file and I'd like to continue the discussion on that basis, not just being written off as some kind of nooby kook.

I am speculating that like so many programs, when a config file is not present, it defaults to values written into the program. In this case, because you can see errors on the pages from time to time that indicate paths, missing files and other stuff that users really shouldn't see that it is defaulting to a development mode. This would also probably explain as well the lousy performance since day 1.

If the php configuration screen say that the php.ini file should be in c:windows and in fact it is not, will it search every path in the environement path statement?

This is the first box from the php info page in the administration panel. Can you see there the path for the php.ini file?

System Windows NT WSVR 5.2 build 3790
Build Date Mar 30 2005 17:32:35
Server API ISAPI
Virtual Directory Support enabled
Configuration File (php.ini) Path C:WINDOWS
PHP API 20020918
PHP Extension 20020429
Zend Extension 20021010
Debug Build no
Thread Safety enabled
Registered PHP Streams php, http, ftp, compress.zlib

Rest assured gentlemen, unless there is some new way to hide files that I and my windows explorer are not aware of, there is no php.ini in my C:Windows path.

So as I mentioned in the first post, would someone like to let me know what their opinion is about the php.ini-recommended file? Is this the one most everyone is using? What further general performance and security mods should be done to this?

Thx Gents.

Are you running PHP in cgi mode?

I would use the php-default ini file (if you have it) then edit it to what you need. If you don;t have it then you can use the recommended file, just make sure you edit it to suit your needs.

Thanks for your reply. How does one determine whether or not php is in cgi mode? What difference would it make apart from a security issue? I assume that Kismod does not need cgi mode and that it runs in purely php mode.

php.ini as delivered puts php into development mode. The php.ini-recommended as I read it puts it into more of a performance run mode so I thought that would be the best place to start.

Hmm..

"rockeiro";p="16998" wrote:Thanks for your reply. How does one determine whether or not php is in cgi mode? What difference would it make apart from a security issue? I assume that Kismod does not need cgi mode and that it runs in purely php mode.

php.ini as delivered puts php into development mode. The php.ini-recommended as I read it puts it into more of a performance run mode so I thought that would be the best place to start.

Hmm..

not sure how to tell...
PHP apps should work either way, just fine.

The recommended ini should work just fine, but like I said above, you will probably want to edit it to suit your needs.

I was just setting up another site to use phpMyAdmin when I remembered that the original settings on the web site (this is IIS6 config stuff) was to execute php extensions with C:/progra~1/php.exe but that never worked. I therefor changed it C:Program FilesPHPphp4isapi.dll and it's worked ever since.

So for those including myself who wondered how it was working without a php.ini file, this must be the answer. Now I wonder if this dll will load setting from a php.ini if it is present.

I wonder if any of our developer level guys know about this and if they have, do they know the answer to this one? Apparently doing it this way makes the site more hack-proof using this php4isapi.dll instead of the php.exe.

This link explains it: http://www.visualwin.com/PHP-ISAPI/

Comments?

ok, then you are running php as cgi.

That page isn't saying that it's more secure than normal PHP, it's saying that using the .dll is more seucre than the CGI exe of PHP.