Whenever someone visits your website, the PHP interpreter reads the php.ini file and behaves accordingly.

 

The settings below will help making your website more secure. There are other files also that help preventing malicious attacks to your site, like .htaccess and globals.php, but php.ini is a good starting point for everyone that takes security seriously.

Some extensions may not work with the suggested settings therefore you should reconsider if you really need these extensions.

 

 

 

If this is left on, an attacker might use this to insert request variables from HTML forms with the intention to break your website. In PHP5, its default state is set to off and as of PHP6 it has been removed.

 

 

 

The preferred setting is default. This function will treat remote files as if they were local files on the server, leaving some open space to malicious attacks.

 

 

 

This is on by default. Its main purpose is to escape all variables that are sent to the database, neutralizing malicious loaded scripts. You should never turn this off. This setting has been removed in PHP6.

 

 

 

The default value is on. This setting will prevent malicious users from finding out the PHP version you are using as well as 3rd party PHP extensions. By setting this to off, it reduces the amount of exposed information.

 

 

 

You should leave this in its default state (off). If you turn it on, some features will be disabled [chmod(), exec(), system() and more]. As of PHP6 it has been removed.

 

 

 

It prevents or lowers the possibility of a session fixation attack.