From: "Adam Voigt" > On Mon, 2004-06-28 at 18:07, Jason Aeschilman wrote: > > Why is PHP insecure by default on FC1? Is it because it's not for > > production use? It uses a php.ini that is only suited for development, not > > production use. I ended up grabbing the "php.ini-recommended" file from the > > official release of PHP-4.3.6 and made a couple Fedora-related changes to it > > (diff helped out here). > > > > J.A.K.E. > > [ jake1138 AT yahoo DOT com ] > > lol, I must say you did a very good job of being as vague as possible > and not illustrating your point in any way. You're right, but I did get the discussion started. All one needs to do is read the comments in php.ini. When the comments say, "don't do this in a production environment" or "don't use this file in a production environment", then that in of itself makes the point. If you look at php.ini-recommended, you'll learn even more. Part of my reasoning for even mentioning this here is to make people aware. Here is the "diff php.ini php.ini-recommended". For those who haven't used diff before, the lines preceded by "<" are from php.ini, the lines preceded by ">" are from php.ini-recommended. < output_buffering = Off > output_buffering = 4096 < allow_call_time_pass_reference = On > allow_call_time_pass_reference = Off < error_reporting = E_ALL & ~E_NOTICE > error_reporting = E_ALL < display_errors = On > display_errors = Off < log_errors = Off > log_errors = On < variables_order = "EGPCS" > variables_order = "GPCS" < register_argc_argv = On > register_argc_argv = Off < magic_quotes_gpc = On > magic_quotes_gpc = Off < extension_dir = /usr/lib/php4 > extension_dir = "./" < sendmail_path = /usr/sbin/sendmail -t -i > ;sendmail_path = < dbx.colnames_case = "unchanged" > dbx.colnames_case = "lowercase" < session.save_path = /tmp > ;session.save_path = /tmp < session.gc_divisor = 100 > session.gc_divisor = 1000 < session.bug_compat_42 = 1 > session.bug_compat_42 = 0 < url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" > url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" To make php.ini-recommended work for Fedora, I changed this line: extension_dir = /usr/lib/php4 -- J.A.K.E. [ jake1138 AT yahoo DOT com ]