PHP/Apache Configuration

[rlee0001]

Good morning!

Is there an easy way, perhaps with a php.ini, or a .htaccess file, to set the PHP/Apache configuration to more "production quality" settings?

Specifically, I would like to:

+ Disable Magic Quotes
+ Disable All Error Reporting
+ Enable All Errors Logging (e.g. E_ALL | E_NOTICE | E_STRICT)

Plus maybe some other things, like disabling PHP short tags, but for now, the above three items are the items I really care about.

With respect to the magic quotes setting, I don't need anyone to tell me about SQL injection attacks. I'd like to sanitize my data properly, not rely on a server misconfiguration/anti-feature to do it for me. I most certainly don't want to use strip_slashes with every access to incoming form data, as that would just produce fragile, and frankly incorrect, code. Not to mention that I'm using a PostgreSQL database, which uses Sybase-style escapes, not the C-style escapes used by MySQL (e.g. PostgreSQL uses '' (two single quotes) where-as MySQL would use \' and \\).

If anyone really cared at all about security, they'd disable error reporting in a hummingbird's heartbeat.

I didn't see these settings in cPanel, and I tried using a .htaccess file, but just got a 500, so I assume that the php_flag and php_value directives are disabled, which is perfectly acceptable in-and-of itself. I'm on chopin, if that's relevant.

Thanks!
Rob L

 

[garrettroyce]

Magic quotes cannot be disabled at runtime. This is by design of PHP. You can use the php_value or php_flag directives, but you get a 500 error because it's not changeable in this way. Short tags are disabled. Error reporting can be set to your liking using the .htaccess directives you mentioned.

 

[misson]

Since we don't have access to php.ini, and the php_value and php_flag directives are disabled, you're limited to ini_get() and ini_set(). You'll have to manually include a configuration script, since there's no way of setting auto_prepend_file. Sadly, that won't help with some settings, such as magic_quotes_gpc. For that one, you'll either need to test get_magic_quotes_gpc() to conditionally run stripslashes() when you access user input, or have your configuration script do it, which is easier but potentially wasteful.

if (get_magic_quotes_gpc()) {
  $_REQUEST; # so $GLOBALS['_REQUEST'] exists
  foreach (array('_GET', '_POST', '_COOKIE', '_REQUEST') as $k) {
    $GLOBALS[$k] = array_map('stripslashes', $GLOBALS[$k]);
  }
}

 

[ah-blabla]

Would it not be sensible to disable magic quotes server side though, since it is officially deprecated?

 

[misson]

Would it not be sensible to disable magic quotes server side though, since it is officially deprecated?

I'd wouldn't shed any tears if it were disabled, but the admins keep it because it provides a modicum of protection for the users who don't know about SQL injection or know but don't realize how serious it can be. If the forums are any indication, many people with free sites on x10 are at a beginner's level when it comes to security issues.

 

[xav0989]

I'm not sure about the php_value beeing disabled. I recall someone (don't remember who) telling someone else to use it to add a file to check memory usage on pages.
Edit:

Would it not be sensible to disable magic quotes server side though, since it is officially deprecated?

In the message, magic_quotes was deprecated as of PHP 5.3.0, which is not the PHP version x10 uses.

 

[misson]

I'm not sure about the php_value beeing disabled. I recall someone (don't remember who) telling someone else to use it to add a file to check memory usage on pages.

Was it garretroyce? Maybe it's a matter of which host you're on. Whenever I've tried to use php_value on lotus (such as before answering rlee0001's question), I get a 500 Internal Server Error. The logged error is "Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration". Poll time.

 

[xav0989]

Exactly, you have a better memory than I do :biggrin:

I'll check on my host... but hey, could it be a premium account only feature. I know that garrett has one.

 

[misson]

Exactly, you have a better memory than I do :biggrin:

It's probably worse. I tend to rely on offline memory (e.g. the web) and searching. Transhumanism, wot?

I'll check on my host... but hey, could it be a premium account only feature. I know that garrett has one.

I think you've hit the proverbial nail on its proverbial head.

 

[xav0989]

I tend to rely on offline memory (e.g. the web) and searching.

Isn't the web ONline?

 

[misson]

Isn't the web ONline?

It's not part of my personal neural network, thus it's offline memory. Transhumanistic humor.

I certainly wish I could access the web as personal memory, but neural interfaces are still a pipe dream.