PHP configuration for DokuWiki

The aim of this page is to discuss PHP settings that have an impact on DokuWiki installations in terms of functionality, performance, security and portability. Please consult the online PHP manual for more details.

FIXME More contributions for this page are needed.

php.ini

The basic means of configuring PHP is via a configuration file (php.ini as of PHP 4). For the server module versions of PHP, this happens only once when the web server is started. For the CGI and CLI version, it happens on every invocation.

This file contains a list of directives that control the way that PHP functions. You can see the online php.ini directives page for a detailed reference of those directives.

While in most cases, DokuWiki will operate “out-of-the-box” with typical distribution PHP settings, a number of configuration options has particular importance to DokuWiki.

On the other hand, always be warned that what may be a good or even suggested value for DokuWiki might in some cases break other PHP applications you also host. This is especialy true when enabling directives that enhance PHP security while having other PHP applications that rely on insecure features of PHP like register_globals etc.

register_globals

Controls if global variables will be registered for input data (POST, GET, cookies, environment and other server variables). Unfortunately this often leads to See security problems.

DokuWiki will run even with register_globals set to off.

Suggested: register_globals = Off

short_open_tag

Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.

DokuWiki will run even with short_open_tag set to off. However, note that there exist templates that rely on this feature being set to On.

Suggested: short_open_tag = Off

safe_mode

Safe Mode attempt to solve the shared-server security problem by restricting/disabling certain PHP functions.

DokuWiki will run even with safe_mode set to off.

However, depending on your hosters configuration you may need to use the safemodehack option.

If in doubt, or when troubleshooting, start with safe_mode = Off.

output_buffering

Output buffering allows you to send header lines (including cookies) even after you send body content, at the price of slowing PHP's output layer a bit.

Suggested: output_buffering = Off Is this right? This is the default as of PHP 4.3.5.

output_handler

Redirect all the output of all scripts to a function. Setting output_handler automatically turns on output_buffering. However, this solution is not advised.

Note: you cannot use both “output_handler = ob_gzhandler” and “zlib.output_compression”.

Suggested: output_handler =

zlib.output_compression

Provides transparent output compression using the zlib library. In general setting zlib.output_compression = On works quite well with DokuWiki.

However, developer versions of DokuWiki support (when gzip_output is enabled) output compression, thus in the near future:

Suggested: output_handler = Off

Note: you cannot use both “output_handler = ob_gzhandler” and “zlib.output_compression”. In case you have enabled zlib.output_compression in php.ini and $conf['gzip_output'] (ie ob_gzhandler) and get warnings like this in the error.log file of apache:

Warning: ob_start(): output handler 'ob_gzhandler' conflicts with 'zlib output compression' in …

you should also add (PHP4)

<ifModule mod_php4.c>
php_value zlib.output_compression off
</ifModule>

or (PHP5)

<ifModule mod_php5.c>
php_value zlib.output_compression off
</ifModule>

to the DokuWiki root .htaccess file. For portability between PHP4 to PHP5 you may even add both of them.

implicit_flush

Tells PHP to tell the output layer to flush itself automatically after every output block. Turning this option on has serious performance implications and is generally recommended for debugging purposes only.

Suggested: implicit_flush = Off

allow_call_time_pass_reference

Whether to warn when arguments are passed by reference at function call time, as this method is deprecated. Arguments that should be passed by reference should be indicated in the function declaration, not at function call time.

Suggested: allow_call_time_pass_reference = Off

max_execution_time

Maximum execution time of each script, in seconds.

Suggested: max_execution_time = 30

max_input_time

Maximum amount of time each script may spend parsing request data.

Suggested: max_input_time = 60

memory_limit

Maximum amount of memory a script may consume.

Suggested: memory_limit = 8M

error_reporting

Which errors to report.

Suggested: error_reporting = E_ALL & ~E_NOTICE

display_errors

Print out errors (as a part of the output). For production web sites, you're strongly encouraged to turn this feature off, and use error logging instead.

Suggested: display_errors = Off

display_startup_errors

Print out errors that occur during PHP's startup sequence (display_errors has no control over these). It's strongly recommended to keep display_startup_errors off, except for when debugging.

Suggested: display_startup_errors = Off

log_errors

Log errors into a log file. Also set error_log accordingly.

Suggested: log_errors = On

variables_order

The order in which PHP registers GET, POST, Cookie, Environment and Built-in variables (G, P, C, E & S respectively).

Suggested: variables_order = “EGPCS” Is this right?

register_argc_argv

Whether to declare the argv & argc variables (that would contain the GET information).

Suggested: register_argc_argv = Off

Magic Quotes

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

magic_quotes_gpc

Affects HTTP Request data (GET, POST, and Cookie).

Suggested: magic_quotes_gpc = On

magic_quotes_runtime

If enabled, most functions that return data from an external source, including databases and text files (SQL, from exec(), etc), will have quotes escaped with a backslash.