I'm just curious if there's a way to disable things like shell_exec() using the .htaccess file or something, not globally, but only for specific subdomains or directories (possibly disable fopen() on files above the subdir). It occurred to me that on one of my shared hosts where I'm sharing subdomain space with a friend he could use PHP to get a look at directories outside his own.
Perhaps I could use mod_rewrite and send any hit anywhere through a PHP script that disables certain things before forwarding the request to where it was going? Would this work, and would it incur a significant performance penalty?
You can do it programmatically:
ini_set('disable_functions', 'fopen,shell_exec');
or in .htaccess:
php_value disable_functions fopen,shell_exec
There shouldn't be any performance degradation. I doubt you'll be changing the settings repeatedly inside a for(), while() or foreach() loop.
You can do this with a .htaccess file:
http://www.askapache.com/php/custom-phpini-tips-and-tricks.html#m0-askapache12
I believe those things need to be changed in the php.ini file. Some host allow you to have multiple php.ini files within the files structure. If you are on a shared hosting environment then you probably will have one php.ini file for all shared accounts. Host realize this is a problem so they allow you to have your own within your home directory for sub directory... check with your host.
Related
In a PHP code I need get the values of Apache's mod_fcgid conf variables like:
FcgidMaxRequestLen
FcgidBusyScanInterval
FcgidAuthenticator
(Full list at http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html)
Is there a way I can get those values?
There's no way of getting Apache configuration directives through the PHP API, other than what's exposed by PHP itself. You would have to parse the Apache config files.
This is not trivial however, if you consider things like conditional settings and inclusion of multiple config files. It may also include security issues such as accidentally revealing config settings that can compromise your server.
My development environment is shared with other developers of my startup and is setup on Rackspace. The php.ini file is located in /etc/ folder, and I believe this is a centralized location from where every other developer's dev environment setting is being configured from. I want to customize this php.ini file specifically for myself rather than having to do it in the /etc/ location.
Specifically I am setting up XDEBUG in my environment, some other developers don't want it, so I don't want to bug em :)
To do so, I scanned the Internet on how to override the php.ini file specifically for a directory, and found this page on stackoverflow
And following that, I simply copy pasted the php.ini file within my htdocs folder and then simply echoed out phpinfo() (I echoed this in one of my Controllers, (using Zend)). The index.php file is within the htdocs folder.
When I look # "Loaded Configuration File", it still reads
/etc/ instead of ../htdocs/
Anybody know what's up?
In general, it isn't possible to load php.ini on a per directory basis, but in some special cases (CGI/FastCGI), it is: see documentation for Per-user configuration
Since PHP 5.3.0, PHP includes support for .htaccess-style INI files on a per-directory basis. These files are processed only by the CGI/FastCGI SAPI. This functionality obsoletes the PECL htscanner extension. If you are using Apache, use .htaccess files for the same effect.
In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']). In case the PHP file is outside the document root, only its directory is scanned.
If you are hosting several independent sites on one server, you should consider FastCGI anyway, to keep them separated. With php5-fpm it's very easy to setup many pools of workers.
Note that only set a limited subset of the ini-options in the user-ini-file.
As you said you don't have control on the server, the possible work-arounds would be to:
Use ini_set() to override the changes inside your script. Not all of the configuration directives can be changed using ini_set() though.
Use an .htaccess file in your directory to override the configurations in php.ini file.
(certain parts adapted from #1438393)
Hope this helps!
I'm not sure you understood the post. The post means if you run the server and want a per domain php.ini you can run the module as a per domain so each user controls there domain php.ini however it looks like your server does not offer this so you will need to us htaccess file to overwrite the php.ini settings.
By over write this doesn't mean you can change the directory this means maybe add a module or add error reporting ect...
You can do it by using this post: How can I use xdebug to debug only one virtual host?
My development environment is shared with other developers of my startup and is setup on Rackspace. The php.ini file is located in /etc/ folder, and I believe this is a centralized location from where every other developer's dev environment setting is being configured from. I want to customize this php.ini file specifically for myself rather than having to do it in the /etc/ location.
Specifically I am setting up XDEBUG in my environment, some other developers don't want it, so I don't want to bug em :)
To do so, I scanned the Internet on how to override the php.ini file specifically for a directory, and found this page on stackoverflow
And following that, I simply copy pasted the php.ini file within my htdocs folder and then simply echoed out phpinfo() (I echoed this in one of my Controllers, (using Zend)). The index.php file is within the htdocs folder.
When I look # "Loaded Configuration File", it still reads
/etc/ instead of ../htdocs/
Anybody know what's up?
In general, it isn't possible to load php.ini on a per directory basis, but in some special cases (CGI/FastCGI), it is: see documentation for Per-user configuration
Since PHP 5.3.0, PHP includes support for .htaccess-style INI files on a per-directory basis. These files are processed only by the CGI/FastCGI SAPI. This functionality obsoletes the PECL htscanner extension. If you are using Apache, use .htaccess files for the same effect.
In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']). In case the PHP file is outside the document root, only its directory is scanned.
If you are hosting several independent sites on one server, you should consider FastCGI anyway, to keep them separated. With php5-fpm it's very easy to setup many pools of workers.
Note that only set a limited subset of the ini-options in the user-ini-file.
As you said you don't have control on the server, the possible work-arounds would be to:
Use ini_set() to override the changes inside your script. Not all of the configuration directives can be changed using ini_set() though.
Use an .htaccess file in your directory to override the configurations in php.ini file.
(certain parts adapted from #1438393)
Hope this helps!
I'm not sure you understood the post. The post means if you run the server and want a per domain php.ini you can run the module as a per domain so each user controls there domain php.ini however it looks like your server does not offer this so you will need to us htaccess file to overwrite the php.ini settings.
By over write this doesn't mean you can change the directory this means maybe add a module or add error reporting ect...
You can do it by using this post: How can I use xdebug to debug only one virtual host?
How do I edit php.ini when my host doesn't give me access to the core file? Is there a way to create a "sub" php.ini? If so, how would I make my apps pick up the subsequent file and use that instead of the master file (that I don't have access to edit)? It's a typical shared web host if that matters.
http://www.php.net/manual/en/configuration.changes.php
If your host allows it, you can use an Apache directive in an .htaccess file to override the INI path. (Most shared hosts, however, don't allow this.)
You might also be able to change certain individual settings via the ini_set() function in your script - again, if your host allows it.
Try to use the built-in function ini_set().
anyone knows if is it possible to enable php parse_ini_file() function overriding php.ini settings into .htaccess? If yes how it can be done?
Thank you all for help
If it was disabled using disable_functions, you can't reactivate it using a .htaccess php_value directive. See http://php.net/manual/en/ini.core.php
As far as I know, parse_ini_file() is a core function built into PHP, thus it can't really be enabled. I'll guess that you are facing one of these situations:
Your host has disabled it for security reasons (:-?) using the disable_functions directive.
You are providing a URL in the $filename parameter and your host has disabled loading or remote files with the allow_url_fopen directive.
You are reading an *.ini file you don't have access to.
In general, all three cases imply that you are just not allowed to do so. Even if you manage to find a hack and override the restriction, you might be violating your host's terms of use. Whatever, it's possible that you are just trying to do the wrong thing:
Local files can be read from disc, there is not need to use HTTP.
You should be able to read your own files, given that they're given the appropriate permissions.
I added a copy of php.ini under the folder where application wants to call parse_ini_file() and it helped, but my hosting provider "honors" php.ini file per directory, so each app can use different settings.
In this case the app was complaining PHP function parse_ini_file is not available not because the method was disabled, but because it could not find php.ini to parse.