PHP Directives List

This is an overview of the recommended directives for your application. The most important directives have been collected here, for a quick review. The whole list of directive is available as a link to the manual, when applicable. When an extension is missing from the list below, either it as no specific configuration directive, or it is not used by the current code.

DirectiveSuggestionDescription
file
allow_url_fopenOffUnless you need to access remote files, it is better to be safe and forbid this feature
realpath_cache_size128kDetermines the size of the realpath cache to be used by PHP. The default value of "16k" is usually too low for modern application that open many files (autoload, fopen, filet_get_contents...). It is recommended to make this value up to 128 to 256k, and reduce it by testing with realpath_cache_get().
realpath_cache_ttl3600Duration of time (in seconds) for which to cache realpath information for a given file or directory. If the application's code doesn't change too often, you may set this directive to 3600 (one hour) or even more.
Extra configurations File System runtime configuration
filter
filter.defaultunsafe_rawSet the default filter when using functions like filter_input(), filter_var() or their _array() version. Give this a strict level, like 'string' by default, and make every call to the previous functions configure the filters case by case.
Extra configurations Filter runtime configuration
pcre
Extra configurations PCRE runtime configuration
standard
memory_limit120This sets the maximum amount of memory in bytes that a script is allowed to allocate. This helps prevent poorly written scripts for eating up all available memory on a server. It is recommended to set this as low as possible and avoid removing the limit.
max_execution_time90This sets the maximum amount of time, in seconds, that a script is allowed to run. The lower the value, the better for the server, but also, the better has the script to be written. Avoid really large values that are only useful for admin, and set them per directory.
expose_phpOffExposes to the world that PHP is installed on the server. For security reasons, it is better to keep this hidden.
display_errorsOffThis determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user.
error_reportingE_ALLSet the error reporting level. Always set this high, so as to have the errors reported, and logged.
log_errorsOnAlways log errors for future use
error_logName of a writable file, suitable for logging.Name of the file where script errors should be logged.
Extra configurations Standard runtime configuration
Enable DL
enable_dlOff Whether or not to enable the dl() function. The dl() function does NOT work properly in multithreaded servers, such as IIS or Zeus, and is automatically disabled on them.
Disable features
disable_functionsexec, passthru, shell_exec, system, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, popen, pclose, curl_exec, curl_multi_exec, show_source, symlink, fsockopen, pfsockopen, socket_connect, socket_create_listen, socket_create_pair, socket_create, symlink, mail, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, dl, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidThis directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. ; 1 sensitive functions were found in the code. Don't disable those :
disable_classespharThis directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini. ; 1 sensitive classes were found in the code. Don't disable those :