Php.ini
To see your current php configuration and settings you may wish to create an info.php file. Simply touch info.php in a web directory and add the following line of code: <?php phpinfo() ?> Once you view this new page in your web browser, it will populate the page with all the PHP settings and values.
You can use the info.php file to determine the path to php.ini
Common Paths for php.ini:
/usr/local/lib/php.ini
/etc/httpd/php.ini
Where you find it depends on the distribution and how php was installed.
Security:
Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of.
register_globals = Off
Short Open Tag
- <?php Less than question mark php
- <?= Less than question mark equal
- <? Less than question mark
Should Apache PHP recognize <? and ?> tags as PHP source and parse the contents? It is generally recommended that <?php and ?> should be used because the short tags <? ?> may result in issues when generating XML.
In php.ini
short_open_tag = Off
to
short_open_tag = On
In PHP 5.4 and higher the short_open_tag=on directive applies to all short tags except <?= - the echo tag. Since PHP 5.4 and higher the short echo tag <?= is always available and not affected by the short_open_tag ini directive. There is talk that short_open_tag and asp style tags will be DISABLED in PHP 6.
Possible security risk? Byte-shifted code injection, see: https://nealpoole.com/blog/2010/07/php-security-tip-beware-the-opening-tags/
Conclusion: Enabling short_open_tag does not necessarily mean that you will open a security hole. It is just that it may cause confusion for the parser when dealing with XML, and, you are using a coding practice long since discouraged and perhaps will someday soon no longer be supported.
What is worse than than the short open tag is the HTML style legacy tag. PHP <script> Tags - All PHP installations will parse PHP code written with the old HTML style PHP script tags.
