Here's a short explanation of
the configuration directives.
Specifies a list of directories where the
readfile() and file_get_contents()
functions look for files. The format is like the system's
PATH environment variable: a list of directories
separated with a colon in Unix or semicolon in Windows.
PHP considers each entry in the include path separately when looking for
files to include. It will check the first path, and if it doesn't find
it, check the next path, until it either locates the included file or
returns with a
or an error.
You may modify or set your include path at runtime using
Example #1 Unix include_path
Example #2 Windows include_path
Using a . in the include path allows for
relative includes as it means the current directory. However,
it is more efficient to explicitly use include
'./file' than having PHP always check the current
directory for every include.
Limit the files that can be opened by PHP to the specified
directory-tree, including the file itself. This directive
is NOT affected by whether Safe Mode is
turned On or Off.
When a script tries to open a file with, for example,
fopen() or gzopen(),
the location of the file is checked. When the file is outside the
specified directory-tree, PHP will refuse to open it. All symbolic
links are resolved, so it's not possible to avoid this restriction
with a symlink. If the file doesn't exist then the symlink couldn't be
resolved and the filename is compared to (a resolved)
The special value
indicates that the working directory of the script will be used as the
base-directory. This is, however, a little dangerous as the working directory
of the script can easily be changed with chdir().
In httpd.conf, open_basedir
can be turned off
(e.g. for some virtual hosts)
the same way as
any other configuration directive with "php_admin_value open_basedir
Under Windows, separate the directories with a semicolon. On all
other systems, separate the directories with a colon. As an Apache
paths from parent directories are now
The restriction specified with open_basedir
directory name since PHP 5.2.16 and 5.3.4. Previous versions used it
as a prefix. This means that "open_basedir
= /dir/incl" also allowed access to "/dir/include" and
"/dir/incls" if they exist. When you want to restrict access
to only the specified directory, end with a slash. For example:
open_basedir = /dir/incl/
The default is to allow all files to be opened.
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means
that if open_basedir is set to /www/ in php.ini
a script can tighten the configuration to
/www/tmp/ at run-time with
PHP's "root directory" on the server. Only used if
non-empty. If PHP is configured with safe mode, no files outside
this directory are served.
If PHP was not compiled with FORCE_REDIRECT, you should
set doc_root if you are running PHP as a CGI under any web
server (other than IIS). The alternative is to use the
cgi.force_redirect configuration below.
The base name of the directory used on a user's home directory for PHP
files, for example public_html
In what directory PHP should look for dynamically loadable
extensions. See also: enable_dl,
Which dynamically loadable extensions to load when PHP starts up.
Absolute path to dynamically loadable Zend extension (for example
APD) to load when PHP starts up.
Variant of zend_extension
for extensions compiled with debug info.
Variant of zend_extension
for extensions compiled with debug info and thread safety.
Variant of zend_extension
for extensions compiled with thread safety.
Controls whether CGI PHP checks for line starting
with #! (shebang) at the top of the running script.
This line might be needed if the script support running both as
stand-alone script and via PHP CGI. PHP in
CGI mode skips this line and ignores its content if
this directive is turned on.
Provides real PATH_INFO/
PATH_TRANSLATED support for CGI.
PHP's previous behaviour was to set PATH_TRANSLATED
to SCRIPT_FILENAME, and to not grok what
PATH_INFO is. For more information on
PATH_INFO, see the CGI specs.
Setting this to 1 will cause PHP
CGI to fix its paths to conform to the spec. A
setting of zero causes PHP to behave as before. It is turned on by
default. You should fix your scripts to use
SCRIPT_FILENAME rather than
cgi.force_redirect is necessary to provide security running PHP as a
CGI under most web servers. Left undefined, PHP
turns this on by default. You can turn it off at your own
Windows Users: You can safely turn this off for
IIS, in fact, you must.
To get OmniHTTPD or Xitami to work you must turn
If cgi.force_redirect is turned on, and you are not running under
Apache or Netscape (iPlanet) web servers, you may
need to set an environment variable name that PHP will look for to
know it is OK to continue execution.
Setting this variable may cause security issues,
know what you are doing first.
FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
security tokens of the calling client. This allows IIS to define the
security context that the request runs under. mod_fastcgi under Apache
does not currently support this feature (03/17/2002)
Set to 1 if running under IIS. Default is zero.
Turns on SAPI logging when using FastCGI. Default is
to enable logging.
Tells PHP what type of headers to use when sending HTTP response
code. If it's set 0, PHP sends a Status: header that is supported
by Apache and other web servers. When this option is set to 1, PHP
will send » RFC 2616 compliant
headers. Leave it set to 0 unless you know what you're doing.