Here's a short explanation of the configuration directives.

Specifies a list of directories where the require, include, fopen(), file(), readfile() and file_get_contents() functions look for files. The format is like the system's PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows. PHP considers each entry in the include path separately when looking for files to include. It will check the first path, and if it doesn't find it, check the next path, until it either locates the included file or returns with an E_WARNING or an E_ERROR . You may modify or set your include path at runtime using set_include_path(). Example #1 Unix include_path include_path=".:/php/includes" Example #2 Windows include_path include_path=".;c:\php\includes" Using a . in the include path allows for relative includes as it means the current directory. However, it is more efficient to explicitly use include './file' than having PHP always check the current directory for every include. Note: ENV variables are also accessible in .ini files. As such it is possible to reference the home directory using ${LOGIN} and ${USER} . Environment variables may vary between Server APIs as those environments may be different. Example #3 Unix include_path using ${USER} env variable include_path = ".:${USER}/pear/php"

Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. If the file doesn't exist then the symlink couldn't be resolved and the filename is compared to (a resolved) open_basedir. open_basedir can affect more than just filesystem functions; for example if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir. Much of the extended functionality of PHP uses open_basedir in this way. The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir(). In httpd.conf , open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with " php_admin_value open_basedir none ". Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited. The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that " open_basedir = /dir/incl " also allowed access to " /dir/include " and " /dir/incls " if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/ The default is to allow all files to be opened. Note: As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR constant as a separator regardless of the operating system. Note: Using open_basedir will set realpath_cache_size to 0 and thus disable the realpath cache.

PHP's "root directory" on the server. Only used if non-empty. If PHP is configured with safe mode, no files outside this directory are served. If PHP was not compiled with FORCE_REDIRECT, you should set doc_root if you are running PHP as a CGI under any web server (other than IIS). The alternative is to use the cgi.force_redirect configuration below.

The base name of the directory used on a user's home directory for PHP files, for example public_html .

In what directory PHP should look for dynamically loadable extensions. See also: enable_dl, and dl().

extension string

Which dynamically loadable extensions to load when PHP starts up.

Name of dynamically loadable Zend extension (for example APD) to load when PHP starts up.

Variant of zend_extension for extensions compiled with debug info prior to PHP 5.3.0.

Variant of zend_extension for extensions compiled with debug info and thread safety prior to PHP 5.3.0.

Variant of zend_extension for extensions compiled with thread safety prior to PHP 5.3.0.

Controls whether CGI PHP checks for line starting with #! (shebang) at the top of the running script. This line might be needed if the script support running both as stand-alone script and via PHP CGI . PHP in CGI mode skips this line and ignores its content if this directive is turned on.

If this is enabled, the PHP CGI binary can safely be placed outside of the web tree and people will not be able to circumvent .htaccess security.

Provides real PATH_INFO / PATH_TRANSLATED support for CGI . PHP's previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME , and to not grok what PATH_INFO is. For more information on PATH_INFO , see the CGI specs. Setting this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting of zero causes PHP to behave as before. It is turned on by default. You should fix your scripts to use SCRIPT_FILENAME rather than PATH_TRANSLATED .

cgi.force_redirect is necessary to provide security running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default. You can turn it off at your own risk. Note: Windows Users: When using IIS this option must be turned off. For OmniHTTPD or Xitami the same applies.

If cgi.nph is enabled it will force cgi to always sent Status: 200 with every request.

If cgi.force_redirect is turned on, and you are not running under Apache or Netscape (iPlanet) web servers, you may need to set an environment variable name that PHP will look for to know it is OK to continue execution. Note: Setting this variable may cause security issues, know what you are doing first.

Tells PHP what type of headers to use when sending HTTP response code. If it's set to 0, PHP sends a » RFC 3875 "Status:" header that is supported by Apache and other web servers. When this option is set to 1, PHP will send » RFC 2616 compliant headers. If this option is enabled, and you are running PHP in a CGI environment (e.g. PHP-FPM) you should not use standard RFC 2616 style HTTP status response headers, you should instead use their RFC 3875 equivalent e.g. instead of header("HTTP/1.0 404 Not found"); you should use header("Status: 404 Not Found"); Leave it set to 0 unless you know what you're doing.

FastCGI under IIS (on WINNT based OS) supports the ability to impersonate security tokens of the calling client. This allows IIS to define the security context that the request runs under. mod_fastcgi under Apache does not currently support this feature (03/17/2002) Set to 1 if running under IIS. Default is zero.