Urgent | Info Required | PHP ini_set

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello All,

We have a client who is providing Web Hosting Solutions. One of the
features include PHP Scripting.
For security reasons, we have disabled some PHP Functions including
'ini_set'. Some end customers actually want this function to be

We have analyzed the list of directives which are available via
'ini_set' (PHP_INI_ALL). Refer: http://in.php.net/manual/en/ini.php

For us, this is a critical decision to make as some of the
configuration like memory_limit can be misused by customers.

We are using PHP v4.4.0 (ISAPI based) on Windows Server 2003 (IIS 6.0).
Also, PHP is running under 'Safe Mode' hence max_execution_time cannot
be overridden with ini_set.

1. Can we disable some critical PHP Directives (changeable as
PHP_INI_ALL) so that even with 'ini_set', user cannot override them? If
yes, how?
2. Is there any other way of securing the web server with ini_set

Thanks in advance.

Re: Urgent | Info Required | PHP ini_set

TJ wrote:
Quoted text here. Click to load it

Try this.


It says you can set php config values in the windows registry which
have the same effect as php_admin_flag and php_admin_value do on

Its referred to in in the manual but not as clearly.
The windows section says it works with some ini settings but not others
and it doesn't really say whether they can be overridden by the user or

Re: Urgent | Info Required | PHP ini_set

Hello Tim,

Thanks for your reply. I tried the approach as mentioned (using
registry keys) but to no luck..!! :-(

I tried this with 'session.name' setting it up with some other name as
configured in php.ini, but even after that I was able to override these
settings using ini_set.

It looks like all PHP Directives marked as 'PHP_INI_ALL' can be
overridden with ini_set.

Let me know if anyone has more ideas to share.


Site Timeline