htaccess Elite

I am not a wizard in php by any means, but I try hard and that seems to work ok.. lol

I build websites for clients that demand 100% no problems, and since I use a lot of php through-out the site, (phpbb, blogs, forms, download scripts, etc..) I have to debug them and make sure they work correctly.

At first I just used ini_set('error_reporting','E_ALL|E_STRICT'); , etc., at the top of everyone of my php files, now I just put that functionality into my own php.ini file.

The best way I have found is to use php's built in error system to diagnose problems. First I create a custom php.ini ala http://forum.powweb.com/showthread.php?t=68310

Here are the relevant settings for debugging that I use:

Code: Select all

expose_php = On
error_reporting  =  E_ALL|E_STRICT
html_errors = Off
display_errors = On
display_startup_errors = On
log_errors = On
log_errors_max_len = 19024
report_memleaks = On
error_log = /home/users/web/bEXAMPLE/pow.USERNAME/php_error.log
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off


Next in my .htaccess file mentioned in the custom php.ini thread, I add
SetEnv ERRLOGFILE /home/users/web/bEXAMPLE/pow.USERNAME/cgi_error.log

The most important part of this is to use E_ALL|E_STRICT for the error_reporting.. This will report on the strictest warnings and errors.. very verbose. So you can now goin and fix every error that you find.

NOTE: Once a site is in production I turn the Display_error settings off and rely on the log file.. And you shouldn't try and fix the strict errors that will show up (by the thousands) for a lot of the open-source software out there.. this is really only meant for small custom jobs.


My complete php.ini file

Code: Select all

[PHP]

engine = On
zend.ze1_compatibility_mode = Off
short_open_tag = Off
asp_tags = Off
precision    =  12
y2k_compliance = Off
output_buffering = 4096
zlib.output_compression = On
implicit_flush = Off
unserialize_callback_func=
serialize_precision = 100
allow_call_time_pass_reference = On
safe_mode = On
safe_mode_gid =
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions =
disable_classes =
expose_php = Off
max_execution_time = 300
max_input_time = 300   
memory_limit = 300M     
error_reporting  =  E_ALL|E_STRICT
html_errors = Off
display_errors = On
display_startup_errors = On
include_path =  ".:/usr/local/lib/php-5.1.4/lib/php:/home/users/web/bEXAMPLE/pow.USERNAME/sites/example.com/inc"
log_errors = On
log_errors_max_len = 19024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
error_log = /home/users/web/bEXAMPLE/pow.USERNAME/php_error.log
variables_order = "EGPCS"
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 300M
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
;default_charset = "iso-8859-1"

doc_root =
user_dir =
extension_dir = "./"
enable_dl = On
file_uploads = On
upload_tmp_dir = "/home/users/web/bEXAMPLE/pow.USERNAME/phpsessions"
upload_max_filesize = 300M
allow_url_fopen = On
default_socket_timeout = 300


[Date]
date.timezone =  "America/Indianapolis"

[Syslog]
define_syslog_variables  = Off

[mail function]
smtp_port = 25


[SQL]
sql.safe_mode = Off

[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off

[MySQLi]
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off

[mSQL]
msql.allow_persistent = On
msql.max_persistent = -1
msql.max_links = -1

[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

[Sybase]
sybase.allow_persistent = On
sybase.max_persistent = -1
sybase.max_links = -1
sybase.min_error_severity = 10
sybase.min_message_severity = 10
sybase.compatability_mode = Off

[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10

[bcmath]
bcmath.scale = 0

[browscap]

[Informix]
ifx.default_host =
ifx.default_user =
ifx.default_password =
ifx.allow_persistent = On
ifx.max_persistent = -1
ifx.max_links = -1
ifx.textasvarchar = 0
ifx.byteasvarchar = 0
ifx.charasvarchar = 0
ifx.blobinfile = 0
ifx.nullformat = 0

[Session]
session.save_handler = files
session.save_path = "/home/users/web/bEXAMPLE/pow.USERNAME/phpsessions"
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor     = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 4

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
mssql.secure_connection = Off

[Assertion]

[Verisign Payflow Pro]
pfpro.defaulthost = "test-payflow.verisign.com"
pfpro.defaultport = 443
pfpro.defaulttimeout = 30

[COM]

[mbstring]

[FrontBase]

[exif]

[Tidy]
tidy.clean_output = Off

[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/home/users/web/bEXAMPLE/pow.USERNAME/phpsessions"
soap.wsdl_cache_ttl=86400

Remember I am a beginner at php, so do your own research.

If you are at all concerned about site security, however, having error reporting turned ON is a mistake.

True, it is nice to see all those errors, for your information. But if others see that information when they attempt a page currently displaying an error, they have complete access to the name of your server and the file schema you have set up, i.e. /var/home/html/domain/etc. Many hackers would love to have that information.

I admit, I used to have my errors turned on as well for this exact reason. I have since turned them off. When I am working on a bit of code, I use a test site (site duplicated in another passworded directory of my domain), and there, I can add this in the site header file (header.php or whatever you have named it) to turn on the errors for just that area:

ini_set("display_errors","1");
ERROR_REPORTING(E_ALL);