PHP Information
Solutions found here.
Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_globals on
Real Fix: Rewrite your code to use $_GET, $_POST, $_COOKIE, or $_REQUEST arrays accordingly, when you indeed expect input from the user.
Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_long_arrays on
Real Fix: Rewrite your code to use $_GET, $_SERVER, and so on arrays accordingly, instead of their $HTTP_GET_VARS, $HTTP_SERVER_VARS, and so on counterparts.
Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_argc_argv on
Real Fix: Rewrite your code to not use $argc or $argv. These are not commonly used for anything except rough debugging, so it should be straightforward enough to do away with them.
Quick Fix: This cannot be overridden in a .htaccess file, sorry. If you have a large codebase that needs it on, contact us and we will look into enabling it for your domain or fixing your code.
Real Fix: Rewrite code to escape special characters when needed, rather than relying on this directive. You may use the get_magic_quotes_gpc function to check whether it's enabled, and the addslashes function to do the equivalent to what this directive does (though there are often better quotation functions depending on your scenario, such as pg_escape_string).
Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_value error_reporting 2039
Real Fix: Rewrite your code to compensate for whatever the Notice is warning you about, for instance, check if a variable is actually set before trying to use it, ensure proper quoting is used, etc.
Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag short_open_tag on
Real Fix: Rewrite your code, replacing all instances of <? with <?php, and <?= with <?php echo.
PHP is a very customizable system, usually for backwards compatibility reasons. As the PHP language has grown more mature, a number of things were found to be bad practice either from a security or an efficiency standpoint. Some have been endless sources of debates, with half of the servers out there enabling an incompatible feature, and the other half not.
SeattleServer.com opts to follow PHP's recommended current guidelines. This means that our default settings will sometimes cause problems with older code that was written under more lenient standards. However, we are pleased to inform you that you may override any setting you like via a special file on your website, so even old code can be made to work on our servers. On this page, we'll discuss each configuration option, our chosen setting, and the effects it has on your code.
Please feel welcome to discuss these items, or any other PHP programming topics, in the the PHP section of our community forums.
register_globals
With this option enabled, any values passed in the URL or via a cookie or post data are set as global variables within the PHP script automatically. To quote the php.net site, "When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier." So after recommending against using them for considerable time, they were disabled by default starting in PHP 4.2.0. We strongly stand behind this decision, and encourage you to rewrite or replace any code that depends on this functionality.Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_globals on
Real Fix: Rewrite your code to use $_GET, $_POST, $_COOKIE, or $_REQUEST arrays accordingly, when you indeed expect input from the user.
register_long_arrays
"Tells PHP whether or not to register the deprecated long $HTTP_*_VARS type predefined variables. When On (default), long predefined PHP variables like $HTTP_GET_VARS will be defined. If you're not using them, it's recommended to turn them off, for performance reasons. Instead, use the superglobal arrays, like $_GET." Using $HTTP_*_VARS is an old habit that is now deprecated by the PHP team. While using these is no security risk, it does impede the performance of your website to have them enabled.Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_long_arrays on
Real Fix: Rewrite your code to use $_GET, $_SERVER, and so on arrays accordingly, instead of their $HTTP_GET_VARS, $HTTP_SERVER_VARS, and so on counterparts.
register_argc_argv
"This directive tells PHP whether to declare the argv&argc variables (that would contain the GET information). If you don't use these variables, you should turn it off for increased performance." These variables are almost never used as they are not very useful, and disabling them yields a performance gain. More importantly, having register_globals, register_long_arrays, and this option all disables means that we can enable the auto_globals_jit option, which only registers specific $_ENV and $_SERVER variables when actually used, yielding yet another performance boost.Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag register_argc_argv on
Real Fix: Rewrite your code to not use $argc or $argv. These are not commonly used for anything except rough debugging, so it should be straightforward enough to do away with them.
magic_quotes_gpc & magic_quotes_runtime
This directive enables automatic escaping of special characters in input data. This can in certain cases deflect SQL injection attacks, but not always, and it's highly annoying if you're expecting the data in raw unmodified form. Thus, it's been the source of many debates for years, and most PHP scripts have because of this been written to check whether this directive is enabled, and act accordingly. The most popular opinion seems to be to keep it off, and PHP recommends against it as well.Quick Fix: This cannot be overridden in a .htaccess file, sorry. If you have a large codebase that needs it on, contact us and we will look into enabling it for your domain or fixing your code.
Real Fix: Rewrite code to escape special characters when needed, rather than relying on this directive. You may use the get_magic_quotes_gpc function to check whether it's enabled, and the addslashes function to do the equivalent to what this directive does (though there are often better quotation functions depending on your scenario, such as pg_escape_string).
error_reporting
PHP has several errors of logging available. The most pedantic of which are notices, which will generate errors when code is working, but not written with good practices. In general, it is highly recommended to develop code that will not generate Notices, and so to encourage this we enable Notice warnings by default (error_reporting 2047). Most pre-written PHP software will not generate Notices. If you are using an older pre-written script, you may want to silence these, however.Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_value error_reporting 2039
Real Fix: Rewrite your code to compensate for whatever the Notice is warning you about, for instance, check if a variable is actually set before trying to use it, ensure proper quoting is used, etc.
short_open_tag
If you want to use PHP in combination with XML, having this option disabled allows you to use <?xml ?> inline. Furthermore, the commentary in the php configuration states: "Using short tags should be avoided when developing applications or libraries that are meant for redistribution, or deployment on PHP servers which are not under your control, because short tags may not be supported on the target server. For portable, redistributable code, be sure not to use short tags." We disable it by default to encourage good and portable coding practice.Quick Fix: Add this line to a file named .htaccess in the directory where your PHP scripts that need it reside:
php_flag short_open_tag on
Real Fix: Rewrite your code, replacing all instances of <? with <?php, and <?= with <?php echo.
End Notes
If you wish to turn off a directive in a single PHP file, rather than for a whole directory, you may do so using the ini_set function. For example: ini_set ('register_globals', 'on');
