PHP configuration

PhPeace has just been migrated to PHP 5 and PHP 4 support is over.

PhPeace uses the following PHP libraries:

  • xsl
  • curl
  • ctype
  • iconv
  • mbstring
  • soap

not all PHP binaries are distributed with these libraries, so you may have to install additional modules or re-compile PHP.

Furthermore PhPeace uses Archive_Tar from PEAR, which is now part of the PEAR package so it's automatically installed with PEAR.

php.ini configuration

Some settings can be set at virtual host, some other at global level, depending on what you want and on your privileges. If you are in doubt, check the official PHP documentation.

Here are some requirements:

  • file_uploads should be enabled, otherwise you will not be able to upload anything
  • memory_limit defaults to 16M, PhPeace sometimes performs tough tasks and it is better to set it at least to 64M or better higher values

And some suggestions:

  • safe_mode Off. We consider safe_mode a useless restriction. It does not protect from some serious problems and furthermore it is architecturally incorrect to address security problems at PHP configuration level in such a generic way. It will not be supported by PHP6 anymore. However PhPeace can run with safe_mode on, if you really want to.
  • register_globals must always be off; PhPeace does not need it. If some applications on your server need it, then they are poorly written and you should be very concerned about their security.
  • allow_url_fopen should be off, as it represents a serious security issue; PhPeace does not use it.
  • display_errors should generally be disabled in production; PhPeace uses its own error handler and there's a debug setting in the configuration to display errors in case debug in production environment is necessary (only for urgent cases). So if you think you will never need to debug PhPeace in live installation, leave this off which is safer for all your applications.
  • enable_dl should be disabled (it allows to bypass open_basedir restrictions); PhPeace does not use it
  • magic_quotes_gpc should be disabled, it adds complexity to input filtering and its not database-specific; PhPeace does not need it
  • open_basedir restricts files that can be opened by PHP; PhPeace does not need it, but if you are in a shared-hosting environment, for security reasons it may be better to avoid that other applications can access PhPeace files. Keep in mind that open_basedir has an impact on performance, and in any case it's not 100% safe.
    Furthermore, if you set open_basedir, pay attention to set a proper value for upload_tmp_dir otherwise file uploads will fail. Finally, remember not to exclude your PEAR installation directory for inclusions
  • upload_max_filesize and post_max_size should be set to allow for large file uploads (10M is a reasonable value, but you may prefer a different setting)
  • If you see timezone errors, set date.timezone = CET in your php.ini

Regarding the execution of shell commands, PhPeace needs to execute the following ones (input is always escaped in the construction of the command):

  • convert (imagemagick)
  • ffmpeg (for video encoding)