PHP Security?

Similar Messages

• Is php security and secure connection are enough for securing big web app. like fb?

  i mean....using php security functions and using secure coneection .....are enough for protecting big web apps. like fb??

  With great difficulty and constant monitoring and tweaking.
  Gramps

• Apache and PHP Security Scans

  I am now required to keep up with the latest versions of Apache and PHP on my Xserves for security reasons. Is there an easy way to do this?

  In order to keep up with security updates you'll have to install your own apache and php and stop using the ones that comes with Mac OS X (i think it is a good idea to do that anyway).
  Fortunately there are tools out there that will help you.
  I use macports, (http://macports.org) but if you decide to use it you will no longer be able to start, stop and control apache from the Server Admin interface. (there is actually a way to continue to do it but it will break at any system update you run).
  If you are comfortable controlling the server with the command line you'll like it very much and at the end feel it is a great improvement over the apache/php that ships with OS X.
  There is also Fink (http://www.finkproject.org/) but i have never used it so i can't say if it will work well or not and i'm sure it will also prevent you from using the Server Admin.
  Good luck.

• Security aspects of PHP

  What are the security aspects of using PHP with SAP; compared to either "in-house" technologies like BSP or Web Dynpro, or using a J2EE-based environment, based on Java? The biggest drawback of PHP seems to be in the security-related area. How does this open source technology mix with highly secured, sensitive-information SAP installations?
  Trond

  Don't think of it as PHP security, Just think of it as security, and what you want to implement, and what you have available.
  1) Use Active Drirectory and place people in groups which can perform cerain tasks. using the LDAP class in PHP you can enforce those groups.
  2) Prompt users for security information which is sent to SAP. SAP will enforce what the user can or can't do. PHP will be the broker
  3) Develop a local secuirty system within php, perhaps using  something along the lines of http://phpgacl.sourceforge.net/
  4) You could even setup a SecurID security system and implement it with your application.
  Many choices are available, all with plus and minus aspects.

• Nginx + php-fpm problem

  Hello there.
  I just setup nginx with mysql and php-fpm to my archlinux install and i need help.
  i checked all over internet and try every solution, none still work.
  i have a blank page problem
  this is working correctly:
  <?php
  phpinfo();
  ?>
  short tags are enabled and php short tags are also working.
  i try to install phpbb, the install page load, once the install done.. blank page.
  i tryed a working backup of phpbb from my old server.. blank page, same with my phpnuke backup, blank page.
  i tryed chown to root:root and http:http, and chmod rwx for group user and other, i dont think it is a permission problem.
  Probably a little stupid error on my end but i can't find it, i tryed everything.
  my nginx.cong
  #user html;
  worker_processes 1;
  #error_log logs/error.log;
  #error_log logs/error.log notice;
  #error_log logs/error.log info;
  #pid logs/nginx.pid;
  events {
  worker_connections 1024;
  http {
  include mime.types;
  default_type application/octet-stream;
  #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  # '$status $body_bytes_sent "$http_referer" '
  # '"$http_user_agent" "$http_x_forwarded_for"';
  #access_log logs/access.log main;
  sendfile on;
  #tcp_nopush on;
  #keepalive_timeout 0;
  keepalive_timeout 65;
  #gzip on;
  server {
  listen 80;
  server_name localhost;
  #charset koi8-r;
  #access_log logs/host.access.log main;
  location / {
  root /usr/share/nginx/html;
  index index.html index.htm;
  #error_page 404 /404.html;
  # redirect server error pages to the static page /50x.html
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
  root /usr/share/nginx/html;
  # proxy the PHP scripts to Apache listening on 127.0.0.1:80
  #location ~ \.php$ {
  # proxy_pass http://127.0.0.1;
  # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
  #location ~ \.php$ {
  # root html;
  # fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
  # fastcgi_index index.php;
  # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  # include fastcgi_params;
  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #location ~ /\.ht {
  # deny all;
  # another virtual host using mix of IP-, name-, and port-based configuration
  #server {
  # listen 8000;
  # listen somename:8080;
  # server_name somename alias another.alias;
  # location / {
  # root html;
  # index index.html index.htm;
  server {
  listen 80;
  listen clan-ws.net:80;
  server_name clan-ws.net www.clan-ws.net;
  autoindex on;
  root /srv/http/;
  index index.html index.htm index.php;
  location ~ \.php$ {
  #fastcgi_pass 127.0.0.1:9000;
  fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
  fastcgi_index index.php;
  # include fastcgi.conf;
  include fastcgi_params;
  # include /etc/nginx/fastcgi_params;
  # HTTPS server
  #server {
  # listen 443;
  # server_name localhost;
  # ssl on;
  # ssl_certificate cert.pem;
  # ssl_certificate_key cert.key;
  # ssl_session_timeout 5m;
  # ssl_protocols SSLv2 SSLv3 TLSv1;
  # ssl_ciphers HIGH:!aNULL:!MD5;
  # ssl_prefer_server_ciphers on;
  # location / {
  # root html;
  # index index.html index.htm;
  php-fpm.conf
  ; FPM Configuration ;
  ; All relative paths in this configuration file are relative to PHP's install
  ; prefix (/usr). This prefix can be dynamicaly changed by using the
  ; '-p' argument from the command line.
  ; Include one or more files. If glob(3) exists, it is used to include a bunch of
  ; files from a glob(3) pattern. This directive can be used everywhere in the
  ; file.
  ; Relative path can also be used. They will be prefixed by:
  ; - the global prefix if it's been set (-p arguement)
  ; - /usr otherwise
  ;include=/etc/php/fpm.d/*.conf
  ; Global Options ;
  [global]
  ; Pid file
  ; Note: the default prefix is /var
  ; Default Value: none
  pid = /run/php-fpm/php-fpm.pid
  ; Error log file
  ; If it's set to "syslog", log is sent to syslogd instead of being written
  ; in a local file.
  ; Note: the default prefix is /var
  ; Default Value: log/php-fpm.log
  ;error_log = log/php-fpm.log
  ; syslog_facility is used to specify what type of program is logging the
  ; message. This lets syslogd specify that messages from different facilities
  ; will be handled differently.
  ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
  ; Default Value: daemon
  ;syslog.facility = daemon
  ; syslog_ident is prepended to every message. If you have multiple FPM
  ; instances running on the same server, you can change the default value
  ; which must suit common needs.
  ; Default Value: php-fpm
  ;syslog.ident = php-fpm
  ; Log level
  ; Possible Values: alert, error, warning, notice, debug
  ; Default Value: notice
  ;log_level = notice
  ; If this number of child processes exit with SIGSEGV or SIGBUS within the time
  ; interval set by emergency_restart_interval then FPM will restart. A value
  ; of '0' means 'Off'.
  ; Default Value: 0
  ;emergency_restart_threshold = 0
  ; Interval of time used by emergency_restart_interval to determine when
  ; a graceful restart will be initiated. This can be useful to work around
  ; accidental corruptions in an accelerator's shared memory.
  ; Available Units: s(econds), m(inutes), h(ours), or d(ays)
  ; Default Unit: seconds
  ; Default Value: 0
  ;emergency_restart_interval = 0
  ; Time limit for child processes to wait for a reaction on signals from master.
  ; Available units: s(econds), m(inutes), h(ours), or d(ays)
  ; Default Unit: seconds
  ; Default Value: 0
  ;process_control_timeout = 0
  ; The maximum number of processes FPM will fork. This has been design to control
  ; the global number of processes when using dynamic PM within a lot of pools.
  ; Use it with caution.
  ; Note: A value of 0 indicates no limit
  ; Default Value: 0
  ; process.max = 128
  ; Specify the nice(2) priority to apply to the master process (only if set)
  ; The value can vary from -19 (highest priority) to 20 (lower priority)
  ; Note: - It will only work if the FPM master process is launched as root
  ; - The pool process will inherit the master process priority
  ; unless it specified otherwise
  ; Default Value: no set
  ; process.priority = -19
  ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
  ; Default Value: yes
  ;daemonize = yes
  ; Set open file descriptor rlimit for the master process.
  ; Default Value: system defined value
  ;rlimit_files = 1024
  ; Set max core size rlimit for the master process.
  ; Possible Values: 'unlimited' or an integer greater or equal to 0
  ; Default Value: system defined value
  ;rlimit_core = 0
  ; Specify the event mechanism FPM will use. The following is available:
  ; - select (any POSIX os)
  ; - poll (any POSIX os)
  ; - epoll (linux >= 2.5.44)
  ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
  ; - /dev/poll (Solaris >= 7)
  ; - port (Solaris >= 10)
  ; Default Value: not set (auto detection)
  ;events.mechanism = epoll
  ; When FPM is build with systemd integration, specify the interval,
  ; in second, between health report notification to systemd.
  ; Set to 0 to disable.
  ; Available Units: s(econds), m(inutes), h(ours)
  ; Default Unit: seconds
  ; Default value: 10
  ;systemd_interval = 10
  ; Pool Definitions ;
  ; Multiple pools of child processes may be started with different listening
  ; ports and different management options. The name of the pool will be
  ; used in logs and stats. There is no limitation on the number of pools which
  ; FPM can handle. Your system will tell you anyway :)
  ; Start a new pool named 'www'.
  ; the variable $pool can we used in any directive and will be replaced by the
  ; pool name ('www' here)
  [www]
  ; Per pool prefix
  ; It only applies on the following directives:
  ; - 'slowlog'
  ; - 'listen' (unixsocket)
  ; - 'chroot'
  ; - 'chdir'
  ; - 'php_values'
  ; - 'php_admin_values'
  ; When not set, the global prefix (or /usr) applies instead.
  ; Note: This directive can also be relative to the global prefix.
  ; Default Value: none
  ;prefix = /path/to/pools/$pool
  ; Unix user/group of processes
  ; Note: The user is mandatory. If the group is not set, the default user's group
  ; will be used.
  user = http
  group = http
  ; The address on which to accept FastCGI requests.
  ; Valid syntaxes are:
  ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
  ; a specific port;
  ; 'port' - to listen on a TCP socket to all addresses on a
  ; specific port;
  ; '/path/to/unix/socket' - to listen on a unix socket.
  ; Note: This value is mandatory.
  ;listen = 127.0.0.1:9000
  listen = /run/php-fpm/php-fpm.sock
  ; Set listen(2) backlog.
  ; Default Value: 128 (-1 on FreeBSD and OpenBSD)
  ;listen.backlog = 128
  ; Set permissions for unix socket, if one is used. In Linux, read/write
  ; permissions must be set in order to allow connections from a web server. Many
  ; BSD-derived systems allow connections regardless of permissions.
  ; Default Values: user and group are set as the running user
  ; mode is set to 0666
  listen.owner = http
  listen.group = http
  listen.mode = 0660
  ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
  ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
  ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
  ; must be separated by a comma. If this value is left blank, connections will be
  ; accepted from any ip address.
  ; Default Value: any
  ;listen.allowed_clients = 127.0.0.1
  ; Specify the nice(2) priority to apply to the pool processes (only if set)
  ; The value can vary from -19 (highest priority) to 20 (lower priority)
  ; Note: - It will only work if the FPM master process is launched as root
  ; - The pool processes will inherit the master process priority
  ; unless it specified otherwise
  ; Default Value: no set
  ; priority = -19
  ; Choose how the process manager will control the number of child processes.
  ; Possible Values:
  ; static - a fixed number (pm.max_children) of child processes;
  ; dynamic - the number of child processes are set dynamically based on the
  ; following directives. With this process management, there will be
  ; always at least 1 children.
  ; pm.max_children - the maximum number of children that can
  ; be alive at the same time.
  ; pm.start_servers - the number of children created on startup.
  ; pm.min_spare_servers - the minimum number of children in 'idle'
  ; state (waiting to process). If the number
  ; of 'idle' processes is less than this
  ; number then some children will be created.
  ; pm.max_spare_servers - the maximum number of children in 'idle'
  ; state (waiting to process). If the number
  ; of 'idle' processes is greater than this
  ; number then some children will be killed.
  ; ondemand - no children are created at startup. Children will be forked when
  ; new requests will connect. The following parameter are used:
  ; pm.max_children - the maximum number of children that
  ; can be alive at the same time.
  ; pm.process_idle_timeout - The number of seconds after which
  ; an idle process will be killed.
  ; Note: This value is mandatory.
  pm = dynamic
  ; The number of child processes to be created when pm is set to 'static' and the
  ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
  ; This value sets the limit on the number of simultaneous requests that will be
  ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
  ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
  ; CGI. The below defaults are based on a server without much resources. Don't
  ; forget to tweak pm.* to fit your needs.
  ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
  ; Note: This value is mandatory.
  pm.max_children = 5
  ; The number of child processes created on startup.
  ; Note: Used only when pm is set to 'dynamic'
  ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
  pm.start_servers = 2
  ; The desired minimum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
  pm.min_spare_servers = 1
  ; The desired maximum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
  pm.max_spare_servers = 3
  ; The number of seconds after which an idle process will be killed.
  ; Note: Used only when pm is set to 'ondemand'
  ; Default Value: 10s
  ;pm.process_idle_timeout = 10s;
  ; The number of requests each child process should execute before respawning.
  ; This can be useful to work around memory leaks in 3rd party libraries. For
  ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
  ; Default Value: 0
  ;pm.max_requests = 500
  ; The URI to view the FPM status page. If this value is not set, no URI will be
  ; recognized as a status page. It shows the following informations:
  ; pool - the name of the pool;
  ; process manager - static, dynamic or ondemand;
  ; start time - the date and time FPM has started;
  ; start since - number of seconds since FPM has started;
  ; accepted conn - the number of request accepted by the pool;
  ; listen queue - the number of request in the queue of pending
  ; connections (see backlog in listen(2));
  ; max listen queue - the maximum number of requests in the queue
  ; of pending connections since FPM has started;
  ; listen queue len - the size of the socket queue of pending connections;
  ; idle processes - the number of idle processes;
  ; active processes - the number of active processes;
  ; total processes - the number of idle + active processes;
  ; max active processes - the maximum number of active processes since FPM
  ; has started;
  ; max children reached - number of times, the process limit has been reached,
  ; when pm tries to start more children (works only for
  ; pm 'dynamic' and 'ondemand');
  ; Value are updated in real time.
  ; Example output:
  ; pool: www
  ; process manager: static
  ; start time: 01/Jul/2011:17:53:49 +0200
  ; start since: 62636
  ; accepted conn: 190460
  ; listen queue: 0
  ; max listen queue: 1
  ; listen queue len: 42
  ; idle processes: 4
  ; active processes: 11
  ; total processes: 15
  ; max active processes: 12
  ; max children reached: 0
  ; By default the status page output is formatted as text/plain. Passing either
  ; 'html', 'xml' or 'json' in the query string will return the corresponding
  ; output syntax. Example:
  ; http://www.foo.bar/status
  ; http://www.foo.bar/status?json
  ; http://www.foo.bar/status?html
  ; http://www.foo.bar/status?xml
  ; By default the status page only outputs short status. Passing 'full' in the
  ; query string will also return status for each pool process.
  ; Example:
  ; http://www.foo.bar/status?full
  ; http://www.foo.bar/status?json&full
  ; http://www.foo.bar/status?html&full
  ; http://www.foo.bar/status?xml&full
  ; The Full status returns for each process:
  ; pid - the PID of the process;
  ; state - the state of the process (Idle, Running, ...);
  ; start time - the date and time the process has started;
  ; start since - the number of seconds since the process has started;
  ; requests - the number of requests the process has served;
  ; request duration - the duration in µs of the requests;
  ; request method - the request method (GET, POST, ...);
  ; request URI - the request URI with the query string;
  ; content length - the content length of the request (only with POST);
  ; user - the user (PHP_AUTH_USER) (or '-' if not set);
  ; script - the main script called (or '-' if not set);
  ; last request cpu - the %cpu the last request consumed
  ; it's always 0 if the process is not in Idle state
  ; because CPU calculation is done when the request
  ; processing has terminated;
  ; last request memory - the max amount of memory the last request consumed
  ; it's always 0 if the process is not in Idle state
  ; because memory calculation is done when the request
  ; processing has terminated;
  ; If the process is in Idle state, then informations are related to the
  ; last request the process has served. Otherwise informations are related to
  ; the current request being served.
  ; Example output:
  ; pid: 31330
  ; state: Running
  ; start time: 01/Jul/2011:17:53:49 +0200
  ; start since: 63087
  ; requests: 12808
  ; request duration: 1250261
  ; request method: GET
  ; request URI: /test_mem.php?N=10000
  ; content length: 0
  ; user: -
  ; script: /home/fat/web/docs/php/test_mem.php
  ; last request cpu: 0.00
  ; last request memory: 0
  ; Note: There is a real-time FPM status monitoring sample web page available
  ; It's available in: ${prefix}/share/fpm/status.html
  ; Note: The value must start with a leading slash (/). The value can be
  ; anything, but it may not be a good idea to use the .php extension or it
  ; may conflict with a real PHP file.
  ; Default Value: not set
  ;pm.status_path = /status
  ; The ping URI to call the monitoring page of FPM. If this value is not set, no
  ; URI will be recognized as a ping page. This could be used to test from outside
  ; that FPM is alive and responding, or to
  ; - create a graph of FPM availability (rrd or such);
  ; - remove a server from a group if it is not responding (load balancing);
  ; - trigger alerts for the operating team (24/7).
  ; Note: The value must start with a leading slash (/). The value can be
  ; anything, but it may not be a good idea to use the .php extension or it
  ; may conflict with a real PHP file.
  ; Default Value: not set
  ;ping.path = /ping
  ; This directive may be used to customize the response of a ping request. The
  ; response is formatted as text/plain with a 200 response code.
  ; Default Value: pong
  ;ping.response = pong
  ; The access log file
  ; Default: not set
  ;access.log = log/$pool.access.log
  ; The access log format.
  ; The following syntax is allowed
  ; %%: the '%' character
  ; %C: %CPU used by the request
  ; it can accept the following format:
  ; - %{user}C for user CPU only
  ; - %{system}C for system CPU only
  ; - %{total}C for user + system CPU (default)
  ; %d: time taken to serve the request
  ; it can accept the following format:
  ; - %{seconds}d (default)
  ; - %{miliseconds}d
  ; - %{mili}d
  ; - %{microseconds}d
  ; - %{micro}d
  ; %e: an environment variable (same as $_ENV or $_SERVER)
  ; it must be associated with embraces to specify the name of the env
  ; variable. Some exemples:
  ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
  ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
  ; %f: script filename
  ; %l: content-length of the request (for POST request only)
  ; %m: request method
  ; %M: peak of memory allocated by PHP
  ; it can accept the following format:
  ; - %{bytes}M (default)
  ; - %{kilobytes}M
  ; - %{kilo}M
  ; - %{megabytes}M
  ; - %{mega}M
  ; %n: pool name
  ; %o: ouput header
  ; it must be associated with embraces to specify the name of the header:
  ; - %{Content-Type}o
  ; - %{X-Powered-By}o
  ; - %{Transfert-Encoding}o
  ; %p: PID of the child that serviced the request
  ; %P: PID of the parent of the child that serviced the request
  ; %q: the query string
  ; %Q: the '?' character if query string exists
  ; %r: the request URI (without the query string, see %q and %Q)
  ; %R: remote IP address
  ; %s: status (response code)
  ; %t: server time the request was received
  ; it can accept a strftime(3) format:
  ; %d/%b/%Y:%H:%M:%S %z (default)
  ; %T: time the log has been written (the request has finished)
  ; it can accept a strftime(3) format:
  ; %d/%b/%Y:%H:%M:%S %z (default)
  ; %u: remote user
  ; Default: "%R - %u %t \"%m %r\" %s"
  ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
  ; The log file for slow requests
  ; Default Value: not set
  ; Note: slowlog is mandatory if request_slowlog_timeout is set
  ;slowlog = log/$pool.log.slow
  ; The timeout for serving a single request after which a PHP backtrace will be
  ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
  ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
  ; Default Value: 0
  ;request_slowlog_timeout = 0
  ; The timeout for serving a single request after which the worker process will
  ; be killed. This option should be used when the 'max_execution_time' ini option
  ; does not stop script execution for some reason. A value of '0' means 'off'.
  ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
  ; Default Value: 0
  ;request_terminate_timeout = 0
  ; Set open file descriptor rlimit.
  ; Default Value: system defined value
  ;rlimit_files = 1024
  ; Set max core size rlimit.
  ; Possible Values: 'unlimited' or an integer greater or equal to 0
  ; Default Value: system defined value
  ;rlimit_core = 0
  ; Chroot to this directory at the start. This value must be defined as an
  ; absolute path. When this value is not set, chroot is not used.
  ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
  ; of its subdirectories. If the pool prefix is not set, the global prefix
  ; will be used instead.
  ; Note: chrooting is a great security feature and should be used whenever
  ; possible. However, all PHP paths will be relative to the chroot
  ; (error_log, sessions.save_path, ...).
  ; Default Value: not set
  ;chroot =
  ; Chdir to this directory at the start.
  ; Note: relative path can be used.
  ; Default Value: current directory or / when chroot
  ;chdir = /srv/http
  ; Redirect worker stdout and stderr into main error log. If not set, stdout and
  ; stderr will be redirected to /dev/null according to FastCGI specs.
  ; Note: on highloaded environement, this can cause some delay in the page
  ; process time (several ms).
  ; Default Value: no
  ;catch_workers_output = yes
  ; Limits the extensions of the main script FPM will allow to parse. This can
  ; prevent configuration mistakes on the web server side. You should only limit
  ; FPM to .php extensions to prevent malicious users to use other extensions to
  ; exectute php code.
  ; Note: set an empty value to allow all extensions.
  ; Default Value: .php
  ;security.limit_extensions = .php .php3 .php4 .php5
  ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
  ; the current environment.
  ; Default Value: clean env
  ;env[HOSTNAME] = $HOSTNAME
  ;env[PATH] = /usr/local/bin:/usr/bin:/bin
  ;env[TMP] = /tmp
  ;env[TMPDIR] = /tmp
  ;env[TEMP] = /tmp
  ; Additional php.ini defines, specific to this pool of workers. These settings
  ; overwrite the values previously defined in the php.ini. The directives are the
  ; same as the PHP SAPI:
  ; php_value/php_flag - you can set classic ini defines which can
  ; be overwritten from PHP call 'ini_set'.
  ; php_admin_value/php_admin_flag - these directives won't be overwritten by
  ; PHP call 'ini_set'
  ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
  ; Defining 'extension' will load the corresponding shared extension from
  ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
  ; overwrite previously defined php.ini values, but will append the new value
  ; instead.
  ; Note: path INI options can be relative and will be expanded with the prefix
  ; (pool, global or /usr)
  ; Default Value: nothing is defined by default except the values in php.ini and
  ; specified at startup with the -d argument
  ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
  ;php_flag[display_errors] = off
  ;php_admin_value[error_log] = /var/log/fpm-php.www.log
  ;php_admin_flag[log_errors] = on
  ;php_admin_value[memory_limit] = 32M
  php.ini
  [PHP]
  ; About php.ini ;
  ; PHP's initialization file, generally called php.ini, is responsible for
  ; configuring many of the aspects of PHP's behavior.
  ; PHP attempts to find and load this configuration from a number of locations.
  ; The following is a summary of its search order:
  ; 1. SAPI module specific location.
  ; 2. The PHPRC environment variable. (As of PHP 5.2.0)
  ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
  ; 4. Current working directory (except CLI)
  ; 5. The web server's directory (for SAPI modules), or directory of PHP
  ; (otherwise in Windows)
  ; 6. The directory from the --with-config-file-path compile time option, or the
  ; Windows directory (C:\windows or C:\winnt)
  ; See the PHP docs for more specific information.
  ; http://php.net/configuration.file
  ; The syntax of the file is extremely simple. Whitespace and lines
  ; beginning with a semicolon are silently ignored (as you probably guessed).
  ; Section headers (e.g. [Foo]) are also silently ignored, even though
  ; they might mean something in the future.
  ; Directives following the section heading [PATH=/www/mysite] only
  ; apply to PHP files in the /www/mysite directory. Directives
  ; following the section heading [HOST=www.example.com] only apply to
  ; PHP files served from www.example.com. Directives set in these
  ; special sections cannot be overridden by user-defined INI files or
  ; at runtime. Currently, [PATH=] and [HOST=] sections only work under
  ; CGI/FastCGI.
  ; http://php.net/ini.sections
  ; Directives are specified using the following syntax:
  ; directive = value
  ; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
  ; Directives are variables used to configure PHP or PHP extensions.
  ; There is no name validation. If PHP can't find an expected
  ; directive because it is not set or is mistyped, a default value will be used.
  ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
  ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
  ; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
  ; previously set variable or directive (e.g. ${foo})
  ; Expressions in the INI file are limited to bitwise operators and parentheses:
  ; | bitwise OR
  ; ^ bitwise XOR
  ; & bitwise AND
  ; ~ bitwise NOT
  ; ! boolean NOT
  ; Boolean flags can be turned on using the values 1, On, True or Yes.
  ; They can be turned off using the values 0, Off, False or No.
  ; An empty string can be denoted by simply not writing anything after the equal
  ; sign, or by using the None keyword:
  ; foo = ; sets foo to an empty string
  ; foo = None ; sets foo to an empty string
  ; foo = "None" ; sets foo to the string 'None'
  ; If you use constants in your value, and these constants belong to a
  ; dynamically loaded extension (either a PHP extension or a Zend extension),
  ; you may only use these constants *after* the line that loads the extension.
  ; About this file ;
  ; PHP comes packaged with two INI files. One that is recommended to be used
  ; in production environments and one that is recommended to be used in
  ; development environments.
  ; php.ini-production contains settings which hold security, performance and
  ; best practices at its core. But please be aware, these settings may break
  ; compatibility with older or less security conscience applications. We
  ; recommending using the production ini in production and testing environments.
  ; php.ini-development is very similar to its production variant, except it's
  ; much more verbose when it comes to errors. We recommending using the
  ; development version only in development environments as errors shown to
  ; application users can inadvertently leak otherwise secure information.
  ; Quick Reference ;
  ; The following are all the settings which are different in either the production
  ; or development versions of the INIs with respect to PHP's default behavior.
  ; Please see the actual settings later in the document for more details as to why
  ; we recommend these changes in PHP's behavior.
  ; display_errors
  ; Default Value: On
  ; Development Value: On
  ; Production Value: Off
  ; display_startup_errors
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: Off
  ; error_reporting
  ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
  ; Development Value: E_ALL
  ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
  ; html_errors
  ; Default Value: On
  ; Development Value: On
  ; Production value: On
  ; log_errors
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: On
  ; max_input_time
  ; Default Value: -1 (Unlimited)
  ; Development Value: 60 (60 seconds)
  ; Production Value: 60 (60 seconds)
  ; output_buffering
  ; Default Value: Off
  ; Development Value: 4096
  ; Production Value: 4096
  ; register_argc_argv
  ; Default Value: On
  ; Development Value: Off
  ; Production Value: Off
  ; request_order
  ; Default Value: None
  ; Development Value: "GP"
  ; Production Value: "GP"
  ; session.bug_compat_42
  ; Default Value: On
  ; Development Value: On
  ; Production Value: Off
  ; session.bug_compat_warn
  ; Default Value: On
  ; Development Value: On
  ; Production Value: Off
  ; session.gc_divisor
  ; Default Value: 100
  ; Development Value: 1000
  ; Production Value: 1000
  ; session.hash_bits_per_character
  ; Default Value: 4
  ; Development Value: 5
  ; Production Value: 5
  ; short_open_tag
  ; Default Value: On
  ; Development Value: Off
  ; Production Value: Off
  ; track_errors
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: Off
  ; url_rewriter.tags
  ; Default Value: "a=href,area=href,frame=src,form=,fieldset="
  ; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry"
  ; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry"
  ; variables_order
  ; Default Value: "EGPCS"
  ; Development Value: "GPCS"
  ; Production Value: "GPCS"
  ; php.ini Options ;
  ; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
  ;user_ini.filename = ".user.ini"
  ; To disable this feature set this option to empty value
  ;user_ini.filename =
  ; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
  ;user_ini.cache_ttl = 300
  ; Language Options ;
  ; Enable the PHP scripting language engine under Apache.
  ; http://php.net/engine
  engine = On
  ; This directive determines whether or not PHP will recognize code between
  ; <? and ?> tags as PHP source which should be processed as such. It's been
  ; recommended for several years that you not use the short tag "short cut" and
  ; instead to use the full <?php and ?> tag combination. With the wide spread use
  ; of XML and use of these tags by other languages, the server can become easily
  ; confused and end up parsing the wrong code in the wrong context. But because
  ; this short cut has been a feature for such a long time, it's currently still
  ; supported for backwards compatibility, but we recommend you don't use them.
  ; Default Value: On
  ; Development Value: Off
  ; Production Value: Off
  ; http://php.net/short-open-tag
  short_open_tag = On
  ; Allow ASP-style <% %> tags.
  ; http://php.net/asp-tags
  asp_tags = Off
  ; The number of significant digits displayed in floating point numbers.
  ; http://php.net/precision
  precision = 14
  ; Output buffering is a mechanism for controlling how much output data
  ; (excluding headers and cookies) PHP should keep internally before pushing that
  ; data to the client. If your application's output exceeds this setting, PHP
  ; will send that data in chunks of roughly the size you specify.
  ; Turning on this setting and managing its maximum buffer size can yield some
  ; interesting side-effects depending on your application and web server.
  ; You may be able to send headers and cookies after you've already sent output
  ; through print or echo. You also may see performance benefits if your server is
  ; emitting less packets due to buffered output versus PHP streaming the output
  ; as it gets it. On production servers, 4096 bytes is a good setting for performance
  ; reasons.
  ; Note: Output buffering can also be controlled via Output Buffering Control
  ; functions.
  ; Possible Values:
  ; On = Enabled and buffer is unlimited. (Use with caution)
  ; Off = Disabled
  ; Integer = Enables the buffer and sets its maximum size in bytes.
  ; Note: This directive is hardcoded to Off for the CLI SAPI
  ; Default Value: Off
  ; Development Value: 4096
  ; Production Value: 4096
  ; http://php.net/output-buffering
  output_buffering = 4096
  ; You can redirect all of the output of your scripts to a function. For
  ; example, if you set output_handler to "mb_output_handler", character
  ; encoding will be transparently converted to the specified encoding.
  ; Setting any output handler automatically turns on output buffering.
  ; Note: People who wrote portable scripts should not depend on this ini
  ; directive. Instead, explicitly set the output handler using ob_start().
  ; Using this ini directive may cause problems unless you know what script
  ; is doing.
  ; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
  ; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
  ; Note: output_handler must be empty if this is set 'On' !!!!
  ; Instead you must use zlib.output_handler.
  ; http://php.net/output-handler
  ;output_handler =
  ; Transparent output compression using the zlib library
  ; Valid values for this option are 'off', 'on', or a specific buffer size
  ; to be used for compression (default is 4KB)
  ; Note: Resulting chunk size may vary due to nature of compression. PHP
  ; outputs chunks that are few hundreds bytes each as a result of
  ; compression. If you prefer a larger chunk size for better
  ; performance, enable output_buffering in addition.
  ; Note: You need to use zlib.output_handler instead of the standard
  ; output_handler, or otherwise the output will be corrupted.
  ; http://php.net/zlib.output-compression
  zlib.output_compression = Off
  ; http://php.net/zlib.output-compression-level
  ;zlib.output_compression_level = -1
  ; You cannot specify additional output handlers if zlib.output_compression
  ; is activated here. This setting does the same as output_handler but in
  ; a different order.
  ; http://php.net/zlib.output-handler
  ;zlib.output_handler =
  ; Implicit flush tells PHP to tell the output layer to flush itself
  ; automatically after every output block. This is equivalent to calling the
  ; PHP function flush() after each and every call to print() or echo() and each
  ; and every HTML block. Turning this option on has serious performance
  ; implications and is generally recommended for debugging purposes only.
  ; http://php.net/implicit-flush
  ; Note: This directive is hardcoded to On for the CLI SAPI
  implicit_flush = Off
  ; The unserialize callback function will be called (with the undefined class'
  ; name as parameter), if the unserializer finds an undefined class
  ; which should be instantiated. A warning appears if the specified function is
  ; not defined, or if the function doesn't include/implement the missing class.
  ; So only set this entry, if you really want to implement such a
  ; callback-function.
  unserialize_callback_func =
  ; When floats & doubles are serialized store serialize_precision significant
  ; digits after the floating point. The default value ensures that when floats
  ; are decoded with unserialize, the data will remain the same.
  serialize_precision = 17
  ; open_basedir, if set, limits all file operations to the defined directory
  ; and below. This directive makes most sense if used in a per-directory
  ; or per-virtualhost web server configuration file. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  ; http://php.net/open-basedir
  open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/
  ; This directive allows you to disable certain functions for security reasons.
  ; It receives a comma-delimited list of function names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  ; http://php.net/disable-functions
  disable_functions =
  ; This directive allows you to disable certain classes for security reasons.
  ; It receives a comma-delimited list of class names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  ; http://php.net/disable-classes
  disable_classes =
  ; Colors for Syntax Highlighting mode. Anything that's acceptable in
  ; <span style="color: ???????"> would work.
  ; http://php.net/syntax-highlighting
  ;highlight.string = #DD0000
  ;highlight.comment = #FF9900
  ;highlight.keyword = #007700
  ;highlight.default = #0000BB
  ;highlight.html = #000000
  ; If enabled, the request will be allowed to complete even if the user aborts
  ; the request. Consider enabling it if executing long requests, which may end up
  ; being interrupted by the user or a browser timing out. PHP's default behavior
  ; is to disable this feature.
  ; http://php.net/ignore-user-abort
  ;ignore_user_abort = On
  ; Determines the size of the realpath cache to be used by PHP. This value should
  ; be increased on systems where PHP opens many files to reflect the quantity of
  ; the file operations performed.
  ; http://php.net/realpath-cache-size
  ;realpath_cache_size = 16k
  ; Duration of time, in seconds for which to cache realpath information for a given
  ; file or directory. For systems with rarely changing files, consider increasing this
  ; value.
  ; http://php.net/realpath-cache-ttl
  ;realpath_cache_ttl = 120
  ; Enables or disables the circular reference collector.
  ; http://php.net/zend.enable-gc
  zend.enable_gc = On
  ; If enabled, scripts may be written in encodings that are incompatible with
  ; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
  ; encodings. To use this feature, mbstring extension must be enabled.
  ; Default: Off
  ;zend.multibyte = Off
  ; Allows to set the default encoding for the scripts. This value will be used
  ; unless "declare(encoding=...)" directive appears at the top of the script.
  ; Only affects if zend.multibyte is set.
  ; Default: ""
  ;zend.script_encoding =
  ; Miscellaneous ;
  ; Decides whether PHP may expose the fact that it is installed on the server
  ; (e.g. by adding its signature to the Web server header). It is no security
  ; threat in any way, but it makes it possible to determine whether you use PHP
  ; on your server or not.
  ; http://php.net/expose-php
  expose_php = On
  ; Resource Limits ;
  ; Maximum execution time of each script, in seconds
  ; http://php.net/max-execution-time
  ; Note: This directive is hardcoded to 0 for the CLI SAPI
  max_execution_time = 30
  ; Maximum amount of time each script may spend parsing request data. It's a good
  ; idea to limit this time on productions servers in order to eliminate unexpectedly
  ; long running scripts.
  ; Note: This directive is hardcoded to -1 for the CLI SAPI
  ; Default Value: -1 (Unlimited)
  ; Development Value: 60 (60 seconds)
  ; Production Value: 60 (60 seconds)
  ; http://php.net/max-input-time
  max_input_time = 60
  ; Maximum input variable nesting level
  ; http://php.net/max-input-nesting-level
  ;max_input_nesting_level = 64
  ; How many GET/POST/COOKIE input variables may be accepted
  ; max_input_vars = 1000
  ; Maximum amount of memory a script may consume (128MB)
  ; http://php.net/memory-limit
  memory_limit = 128M
  ; Error handling and logging ;
  ; This directive informs PHP of which errors, warnings and notices you would like
  ; it to take action for. The recommended way of setting values for this
  ; directive is through the use of the error level constants and bitwise
  ; operators. The error level constants are below here for convenience as well as
  ; some common settings and their meanings.
  ; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
  ; those related to E_NOTICE and E_STRICT, which together cover best practices and
  ; recommended coding standards in PHP. For performance reasons, this is the
  ; recommend error reporting setting. Your production server shouldn't be wasting
  ; resources complaining about best practices and coding standards. That's what
  ; development servers and development settings are for.
  ; Note: The php.ini-development file has this setting as E_ALL. This
  ; means it pretty much reports everything which is exactly what you want during
  ; development and early testing.
  ; Error Level Constants:
  ; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
  ; E_ERROR - fatal run-time errors
  ; E_RECOVERABLE_ERROR - almost fatal run-time errors
  ; E_WARNING - run-time warnings (non-fatal errors)
  ; E_PARSE - compile-time parse errors
  ; E_NOTICE - run-time notices (these are warnings which often result
  ; from a bug in your code, but it's possible that it was
  ; intentional (e.g., using an uninitialized variable and
  ; relying on the fact it's automatically initialized to an
  ; empty string)
  ; E_STRICT - run-time notices, enable to have PHP suggest changes
  ; to your code which will ensure the best interoperability
  ; and forward compatibility of your code
  ; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
  ; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
  ; initial startup
  ; E_COMPILE_ERROR - fatal compile-time errors
  ; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
  ; E_USER_ERROR - user-generated error message
  ; E_USER_WARNING - user-generated warning message
  ; E_USER_NOTICE - user-generated notice message
  ; E_DEPRECATED - warn about code that will not work in future versions
  ; of PHP
  ; E_USER_DEPRECATED - user-generated deprecation warnings
  ; Common Values:
  ; E_ALL (Show all errors, warnings and notices including coding standards.)
  ; E_ALL & ~E_NOTICE (Show all errors, except for notices)
  ; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
  ; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
  ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
  ; Development Value: E_ALL
  ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
  ; http://php.net/error-reporting
  error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
  ; This directive controls whether or not and where PHP will output errors,
  ; notices and warnings too. Error output is very useful during development, but
  ; it could be very dangerous in production environments. Depending on the code
  ; which is triggering the error, sensitive information could potentially leak
  ; out of your application such as database usernames and passwords or worse.
  ; It's recommended that errors be logged on production servers rather than
  ; having the errors sent to STDOUT.
  ; Possible Values:
  ; Off = Do not display any errors
  ; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
  ; On or stdout = Display errors to STDOUT
  ; Default Value: On
  ; Development Value: On
  ; Production Value: Off
  ; http://php.net/display-errors
  display_errors = Off
  ; The display of errors which occur during PHP's startup sequence are handled
  ; separately from display_errors. PHP's default behavior is to suppress those
  ; errors from clients. Turning the display of startup errors on can be useful in
  ; debugging configuration problems. But, it's strongly recommended that you
  ; leave this setting off on production servers.
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: Off
  ; http://php.net/display-startup-errors
  display_startup_errors = Off
  ; Besides displaying errors, PHP can also log errors to locations such as a
  ; server-specific log, STDERR, or a location specified by the error_log
  ; directive found below. While errors should not be displayed on productions
  ; servers they should still be monitored and logging is a great way to do that.
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: On
  ; http://php.net/log-errors
  log_errors = On
  ; Set maximum length of log_errors. In error_log information about the source is
  ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
  ; http://php.net/log-errors-max-len
  log_errors_max_len = 1024
  ; Do not log repeated messages. Repeated errors must occur in same file on same
  ; line unless ignore_repeated_source is set true.
  ; http://php.net/ignore-repeated-errors
  ignore_repeated_errors = Off
  ; Ignore source of message when ignoring repeated messages. When this setting
  ; is On you will not log errors with repeated messages from different files or
  ; source lines.
  ; http://php.net/ignore-repeated-source
  ignore_repeated_source = Off
  ; If this parameter is set to Off, then memory leaks will not be shown (on
  ; stdout or in the log). This has only effect in a debug compile, and if
  ; error reporting includes E_WARNING in the allowed list
  ; http://php.net/report-memleaks
  report_memleaks = On
  ; This setting is on by default.
  ;report_zend_debug = 0
  ; Store the last error/warning message in $php_errormsg (boolean). Setting this value
  ; to On can assist in debugging and is appropriate for development servers. It should
  ; however be disabled on production servers.
  ; Default Value: Off
  ; Development Value: On
  ; Production Value: Off
  ; http://php.net/track-errors
  track_errors = Off
  ; Turn off normal error reporting and emit XML-RPC error XML
  ; http://php.net/xmlrpc-errors
  ;xmlrpc_errors = 0
  ; An XML-RPC faultCode
  ;xmlrpc_error_number = 0
  ; When PHP displays or logs an error, it has the capability of formatting the
  ; error message as HTML for easier reading. This directive controls whether
  ; the error message is formatted as HTML or not.
  ; Note: This directive is hardcoded to Off for the CLI SAPI
  ; Default Value: On
  ; Development Value: On
  ; Production value: On
  ; http://php.net/html-errors
  html_errors = On
  ; If html_errors is set to On *and* docref_root is not empty, then PHP
  ; produces clickable error messages that direct to a page describing the error
  ; or function causing the error in detail.
  ; You can download a copy of the PHP manual from http://php.net/docs
  ; and change docref_root to the base URL of your local copy including the
  ; leading '/'. You must also specify the file extension being used including
  ; the dot. PHP's default behavior is to leave these settings empty, in which
  ; case no links to documentation are generated.
  ; Note: Never use this feature for production boxes.
  ; http://php.net/docref-root
  ; Examples
  ;docref_root = "/phpmanual/"
  ; http://php.net/docref-ext
  ;docref_ext = .html
  ; String to output before an error message. PHP's default behavior is to leave
  ; this setting blank.
  ; http://php.net/error-prepend-string
  ; Example:
  ;error_prepend_string = "<span style='color: #ff0000'>"
  ; String to output after an error message. PHP's default behavior is to leave
  ; this setting blank.
  ; http://php.net/error-append-string
  ; Example:
  ;error_append_string = "</span>"
  ; Log errors to specified file. PHP's default behavior is to leave this value
  ; empty.
  ; http://php.net/error-log
  ; Example:
  ;error_log = php_errors.log
  ; Log errors to syslog (Event Log on NT, not valid in Windows 95).
  ;error_log = syslog
  ;windows.show_crt_warning
  ; Default value: 0
  ; Development value: 0
  ; Production value: 0
  ; Data Handling ;
  ; The separator used in PHP generated URLs to separate arguments.
  ; PHP's default setting is "&".
  ; http://php.net/arg-separator.output
  ; Example:
  ;arg_separator.output = "&amp;"
  ; List of separator(s) used by PHP to parse input URLs into variables.
  ; PHP's default setting is "&".
  ; NOTE: Every character in this directive is considered as separator!
  ; http://php.net/arg-separator.input
  ; Example:
  ;arg_separator.input = ";&"
  ; This directive determines which super global arrays are registered when PHP
  ; starts up. G,P,C,E & S are abbreviations for the following respective super
  ; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
  ; paid for the registration of these arrays and because ENV is not as commonly
  ; used as the others, ENV is not recommended on productions servers. You
  ; can still get access to the environment variables through getenv() should you
  ; need to.
  ; Default Value: "EGPCS"
  ; Development Value: "GPCS"
  ; Production Value: "GPCS";
  ; http://php.net/variables-order
  variables_order = "GPCS"
  ; This directive determines which super global data (G,P,C,E & S) should
  ; be registered into the super global array REQUEST. If so, it also determines
  ; the order in which that data is registered. The values for this directive are
  ; specified in the same manner as the variables_order directive, EXCEPT one.
  ; Leaving this value empty will cause PHP to use the value set in the
  ; variables_order directive. It does not mean it will leave the super globals
  ; array REQUEST empty.
  ; Default Value: None
  ; Development Value: "GP"
  ; Production Value: "GP"
  ; http://php.net/request-order
  request_order = "GP"
  ; This directive determines whether PHP registers $argv & $argc each time it
  ; runs. $argv contains an array of all the arguments passed to PHP when a script
  ; is invoked. $argc contains an integer representing the number of arguments
  ; that were passed when the script was invoked. These arrays are extremely
  ; useful when running scripts from the command line. When this directive is
  ; enabled, registering these variables consumes CPU cycles and memory each time
  ; a script is executed. For performance reasons, this feature should be disabled
  ; on production servers.
  ; Note: This directive is hardcoded to On for the CLI SAPI
  ; Default Value: On
  ; Development Value: Off
  ; Production Value: Off
  ; http://php.net/register-argc-argv
  register_argc_argv = Off
  ; When enabled, the ENV, REQUEST and SERVER variables are created when they're
  ; first used (Just In Time) instead of when the script starts. If these
  ; variables are not used within a script, having this directive on will result
  ; in a performance gain. The PHP directive register_argc_argv must be disabled
  ; for this directive to have any affect.
  ; http://php.net/auto-globals-jit
  auto_globals_jit = On
  ; Whether PHP will read the POST data.
  ; This option is enabled by default.
  ; Most likely, you won't want to disable this option globally. It causes $_POST
  ; and $_FILES to always be empty; the only way you will be able to read the
  ; POST data will be through the php://input stream wrapper. This can be useful
  ; to proxy requests or to process the POST data in a memory efficient fashion.
  ; http://php.net/enable-post-data-reading
  ;enable_post_data_reading = Off
  ; Maximum size of POST data that PHP will accept.
  ; Its value may be 0 to disable the limit. It is ignored if POST data reading
  ; is disabled through enable_post_data_reading.
  ; http://php.net/post-max-size
  post_max_size = 8M
  ; Automatically add files before PHP document.
  ; http://php.net/auto-prepend-file
  auto_prepend_file =
  ; Automatically add files after PHP document.
  ; http://php.net/auto-append-file
  auto_append_file =
  ; By default, PHP will output a character encoding using
  ; the Content-type: header. To disable sending of the charset, simply
  ; set it to be empty.
  ; PHP's built-in default is text/html
  ; http://php.net/default-mimetype
  default_mimetype = "text/html"
  ; PHP's default character set is set to empty.
  ; http://php.net/default-charset
  ;default_charset = "UTF-8"
  ; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is
  ; to disable this feature. If post reading is disabled through
  ; enable_post_data_reading, $HTTP_RAW_POST_DATA is *NOT* populated.
  ; http://php.net/always-populate-raw-post-data
  ;always_populate_raw_post_data = On
  ; Paths and Directories ;
  ; UNIX: "/path1:/path2"
  include_path = ".:/usr/share/pear"
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
  ; PHP's default setting for include_path is ".;/path/to/php/pear"
  ; http://php.net/include-path
  ; The root of the PHP pages, used only if nonempty.
  ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
  ; if you are running php as a CGI under any web server (other than IIS)
  ; see documentation for security issues. The alternate is to use the
  ; cgi.force_redirect configuration below
  ; http://php.net/doc-root
  doc_root =
  ; The directory under which PHP opens the script using /~username used only
  ; if nonempty.
  ; http://php.net/user-dir
  user_dir =
  ; Directory in which the loadable extensions (modules) reside.
  ; http://php.net/extension-dir
  extension_dir = "/usr/lib/php/modules/"
  ; On windows:
  ; extension_dir = "ext"
  ; Whether or not to enable the dl() function. The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
  ; disabled on them.
  ; http://php.net/enable-dl
  enable_dl = Off
  ; cgi.force_redirect is necessary to provide security running PHP as a CGI under
  ; most web servers. Left undefined, PHP turns this on by default. You can
  ; turn it off here AT YOUR OWN RISK
  ; **You CAN safely turn this off for IIS, in fact, you MUST.**
  ; http://php.net/cgi.force-redirect
  ;cgi.force_redirect = 1
  ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
  ; every request. PHP's default behavior is to disable this feature.
  ;cgi.nph = 1
  ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
  ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
  ; will look for to know it is OK to continue execution. Setting this variable MAY
  ; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
  ; http://php.net/cgi.redirect-status-env
  ;cgi.redirect_status_env =
  ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
  ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
  ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
  ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
  ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
  ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
  ; http://php.net/cgi.fix-pathinfo
  ;cgi.fix_pathinfo=1
  ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
  ; security tokens of the calling client. This allows IIS to define the
  ; security context that the request runs under. mod_fastcgi under Apache
  ; does not currently support this feature (03/17/2002)
  ; Set to 1 if running under IIS. Default is zero.
  ; http://php.net/fastcgi.impersonate
  ;fastcgi.impersonate = 1
  ; Disable logging through FastCGI connection. PHP's default behavior is to enable
  ; this feature.
  ;fastcgi.logging = 0
  ; cgi.rfc2616_headers configuration option tells PHP what type of headers to
  ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
  ; is supported by Apache. When this option is set to 1 PHP will send
  ; RFC2616 compliant header.
  ; Default is zero.
  ; http://php.net/cgi.rfc2616-headers
  ;cgi.rfc2616_headers = 0
  ; File Uploads ;
  ; Whether to allow HTTP file uploads.
  ; http://php.net/file-uploads
  file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
  ; http://php.net/upload-tmp-dir
  ;upload_tmp_dir =
  ; Maximum allowed size for uploaded files.
  ; http://php.net/upload-max-filesize
  upload_max_filesize = 2M
  ; Maximum number of files that can be uploaded via a single request
  max_file_uploads = 20
  ; Fopen wrappers ;
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  ; http://php.net/allow-url-fopen
  allow_url_fopen = On
  ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
  ; http://php.net/allow-url-include
  allow_url_include = Off
  ; Define the anonymous ftp password (your email address). PHP's default setting
  ; for this is empty.
  ; http://php.net/from
  ;from="[email protected]"
  ; Define the User-Agent string. PHP's default setting for this is empty.
  ; http://php.net/user-agent
  ;user_agent="PHP"
  ; Default timeout for socket based streams (seconds)
  ; http://php.net/default-socket-timeout
  default_socket_timeout = 60
  ; If your scripts have to deal with files from Macintosh systems,
  ; or you are running on a Mac and need to deal with files from
  ; unix or win32 systems, setting this flag will cause PHP to
  ; automatically detect the EOL character in those files so that
  ; fgets() and file() will work regardless of the source of the file.
  ; http://php.net/auto-detect-line-endings
  ;auto_detect_line_endings = Off
  ; Dynamic Extensions ;
  ; If you wish to have an extension loaded automatically, use the following
  ; syntax:
  ; extension=modulename.extension
  ; For example, on Windows:
  ; extension=msql.dll
  ; ... or under UNIX:
  ; extension=msql.so
  ; ... or with a path:
  ; extension=/path/to/extension/msql.so
  ; If you only provide the name of the extension, PHP will look for it in its
  ; default extension directory.
  ;extension=bcmath.so
  ;extension=bz2.so
  ;extension=calendar.so
  extension=curl.so
  ;extension=dba.so
  ;extension=enchant.so
  ;extension=exif.so
  ;extension=ftp.so
  ;extension=gd.so
  extension=gettext.so
  ;extension=gmp.so
  ;extension=iconv.so
  ;extension=imap.so
  ;extension=intl.so
  ;extension=ldap.so
  ;extension=mcrypt.so
  ;extension=mssql.so
  ;extension=mysqli.so
  ;extension=mysql.so
  ;extension=odbc.so
  ;extension=openssl.so
  ;extension=pdo_mysql.so
  ;extension=pdo_odbc.so
  ;extension=pdo_pgsql.so
  ;extension=pdo_sqlite.so
  ;extension=pgsql.so
  ;extension=phar.so
  ;extension=posix.so
  ;extension=pspell.so
  ;extension=shmop.so
  ;extension=snmp.so
  ;extension=soap.so
  ;extension=sockets.so
  ;extension=sqlite3.so
  ;extension=sysvmsg.so
  ;extension=sysvsem.so
  ;extension=sysvshm.so
  ;extension=tidy.so
  ;extension=xmlrpc.so
  ;extension=xsl.so
  ;extension=zip.so
  ; Module Settings ;
  [CLI Server]
  ; Whether the CLI web server uses ANSI color coding in its terminal output.
  cli_server.color = On
  [Date]
  ; Defines the default timezone used by the date functions
  ; http://php.net/date.timezone
  ;date.timezone =
  ; http://php.net/date.default-latitude
  ;date.default_latitude = 31.7667
  ; http://php.net/date.default-longitude
  ;date.default_longitude = 35.2333
  ; http://php.net/date.sunrise-zenith
  ;date.sunrise_zenith = 90.583333
  ; http://php.net/date.sunset-zenith
  ;date.sunset_zenith = 90.583333
  [filter]
  ; http://php.net/filter.default
  ;filter.default = unsafe_raw
  ; http://php.net/filter.default-flags
  ;filter.default_flags =
  [iconv]
  ;iconv.input_encoding = ISO-8859-1
  ;iconv.internal_encoding = ISO-8859-1
  ;iconv.output_encoding = ISO-8859-1
  [intl]
  ;intl.default_locale =
  ; This directive allows you to produce PHP errors when some error
  ; happens within intl functions. The value is the level of the error produced.
  ; Default is 0, which does not produce any errors.
  ;intl.error_level = E_WARNING
  [sqlite]
  ; http://php.net/sqlite.assoc-case
  ;sqlite.assoc_case = 0
  [sqlite3]
  ;sqlite3.extension_dir =
  [Pcre]
  ;PCRE library backtracking limit.
  ; http://php.net/pcre.backtrack-limit
  ;pcre.backtrack_limit=100000
  ;PCRE library recursion limit.
  ;Please note that if you set this value to a high number you may consume all
  ;the available process stack and eventually crash PHP (due to reaching the
  ;stack size limit imposed by the Operating System).
  ; http://php.net/pcre.recursion-limit
  ;pcre.recursion_limit=100000
  [Pdo]
  ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
  ; http://php.net/pdo-odbc.connection-pooling
  ;pdo_odbc.connection_pooling=strict
  ;pdo_odbc.db2_instance_name
  [Pdo_mysql]
  ; If mysqlnd is used: Number of cache slots for the internal result set cache
  ; http://php.net/pdo_mysql.cache_size
  pdo_mysql.cache_size = 2000
  ; Default socket name for local MySQL connects. If empty, uses the built-in
  ; MySQL defaults.
  ; http://php.net/pdo_mysql.default-socket
  pdo_mysql.default_socket=
  [Phar]
  ; http://php.net/phar.readonly
  ;phar.readonly = On
  ; http://php.net/phar.require-hash
  ;phar.require_hash = On
  ;phar.cache_list =
  [mail function]
  ; For Win32 only.
  ; http://php.net/smtp
  SMTP = localhost
  ; http://php.net/smtp-port
  smtp_port = 25
  ; For Win32 only.
  ; http://php.net/sendmail-from
  ;sendmail_from = [email protected]
  ; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
  ; http://php.net/sendmail-path
  ;sendmail_path =
  ; Force the addition of the specified parameters to be passed as extra parameters
  ; to the sendmail binary. These parameters will always replace the value of
  ; the 5th parameter to mail(), even in safe mode.
  ;mail.force_extra_parameters =
  ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
  mail.add_x_header = On
  ; The path to a log file that will log all mail() calls. Log entries include
  ; the full path of the script, line number, To address and headers.
  ;mail.log =
  ; Log mail to syslog (Event Log on NT, not valid in Windows 95).
  ;mail.log = syslog
  [SQL]
  ; http://php.net/sql.safe-mode
  sql.safe_mode = Off
  [ODBC]
  ; http://php.net/odbc.default-db
  ;odbc.default_db = Not yet implemented
  ; http://php.net/odbc.default-user
  ;odbc.default_user = Not yet implemented
  ; http://php.net/odbc.default-pw
  ;odbc.default_pw = Not yet implemented
  ; Controls the ODBC cursor model.
  ; Default: SQL_CURSOR_STATIC (default).
  ;odbc.default_cursortype
  ; Allow or prevent persistent links.
  ; http://php.net/odbc.allow-persistent
  odbc.allow_persistent = On
  ; Check that a connection is still valid before reuse.
  ; http://php.net/odbc.check-persistent
  odbc.check_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  ; http://php.net/odbc.max-persistent
  odbc.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  ; http://php.net/odbc.max-links
  odbc.max_links = -1
  ; Handling of LONG fields. Returns number of bytes to variables. 0 means
  ; passthru.
  ; http://php.net/odbc.defaultlrl
  odbc.defaultlrl = 4096
  ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
  ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
  ; of odbc.defaultlrl and odbc.defaultbinmode
  ; http://php.net/odbc.defaultbinmode
  odbc.defaultbinmode = 1
  ;birdstep.max_links = -1
  [Interbase]
  ; Allow or prevent persistent links.
  ibase.allow_persistent = 1
  ; Maximum number of persistent links. -1 means no limit.

  rune0077 wrote:
  Try this solution:
  https://wiki.archlinux.org/index.php/Ng … gh_FastCGI
  That isn't exactly my problem. The server responds with no body (so no blank html document)
  root@server ~# curl -vH "Host: ███████" localhost/test.php
  * Hostname was NOT found in DNS cache
  * Trying ::1...
  * connect to ::1 port 80 failed: Connection refused
  * Trying 127.0.0.1...
  * Connected to localhost (127.0.0.1) port 80 (#0)
  > GET /test.php HTTP/1.1
  > User-Agent: curl/7.36.0
  > Accept: */*
  > Host: ███████████
  >
  < HTTP/1.1 200 OK
  * Server nginx/1.6.0 is not blacklisted
  < Server: nginx/1.6.0
  < Date: Tue, 20 May 2014 20:11:02 GMT
  < Content-Type: text/html
  < Transfer-Encoding: chunked
  < Connection: keep-alive
  < Vary: Accept-Encoding
  <
  * Connection #0 to host localhost left intact
  When I do set SCRIPT_FILENAME to $document_root$fastcgi_script_name, it responds with "No input file specified."
  Spider.007 wrote:If there are no errors; tell us what your access-logs tell. Enable them in fpm and tell us if the request ends up there. Also; nginx can also log the upstream ip-address; if you add that to the access-logs you'll at least know if the problem is nginx, or fpm
  The nginx log message:
  127.0.0.1 - - [20/May/2014:14:15:50 -0600] "GET /test.php HTTP/1.1" 200 5 "-" "curl/7.36.0"
  I'll try to find a way to make php-fpm more verbose and I'll edit this post with the error when I do. At the moment it's only logging startups/shutdowns.
  Last edited by phillips1012 (2014-05-20 20:23:40)

• Nginx with php-fpm, connection with php-fpm.sock failed

  I am feeling stumped, trying to setup NGINX for the first time on Arch. Followed the wiki a few times and keep getting hung up in the same spot. I followed the instructions to install NGINX in a chroot, then went on to setup php-fpm. I have not tried setting up any sites, just trying to get to the point of showing the "it works" page, before I moved to setting up a site.
  The error I am getting on the page
  Sorry, the page you are looking for is currently unavailable.
  Please try again later.
  error in log
  2013/03/07 13:04:05 [crit] 1868#0: *1 connect() to unix:/run/php-fpm/php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: MYIP, server: SERVERIP, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-fpm.sock:", host: "SERVERIP"
  SERVERIP: is the IP of the server and shows properly in the log, same with MYIP
  Here are my configs
  /srv/http/etc/nginx.conf
  #user http;
  worker_processes 1;
  #error_log logs/error.log;
  #error_log logs/error.log notice;
  #error_log logs/error.log info;
  #pid logs/nginx.pid;
  events {
  worker_connections 1024;
  http {
  include mime.types;
  default_type application/octet-stream;
  #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  # '$status $body_bytes_sent "$http_referer" '
  # '"$http_user_agent" "$http_x_forwarded_for"';
  #access_log logs/access.log main;
  sendfile on;
  #tcp_nopush on;
  #keepalive_timeout 0;
  keepalive_timeout 65;
  #gzip on;
  server {
  listen 80;
  server_name SERVERIP;
  include fpm.conf;
  #charset koi8-r;
  #access_log logs/host.access.log main;
  location / {
  root /usr/share/nginx/html;
  index index.html index.htm;
  #error_page 404 /404.html;
  # redirect server error pages to the static page /50x.html
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
  root /usr/share/nginx/html;
  # proxy the PHP scripts to Apache listening on 127.0.0.1:80
  #location ~ \.php$ {
  # proxy_pass http://127.0.0.1;
  # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
  #location ~ \.php$ {
  # root html;
  # fastcgi_pass 127.0.0.1:9000;
  # fastcgi_index index.php;
  # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
  # include fastcgi_params;
  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #location ~ /\.ht {
  # deny all;
  # another virtual host using mix of IP-, name-, and port-based configuration
  #server {
  # listen 8000;
  # listen somename:8080;
  # server_name somename alias another.alias;
  # location / {
  # root html;
  # index index.html index.htm;
  # HTTPS server
  #server {
  # listen 443;
  # server_name localhost;
  # ssl on;
  # ssl_certificate cert.pem;
  # ssl_certificate_key cert.key;
  # ssl_session_timeout 5m;
  # ssl_protocols SSLv2 SSLv3 TLSv1;
  # ssl_ciphers HIGH:!aNULL:!MD5;
  # ssl_prefer_server_ciphers on;
  # location / {
  # root html;
  # index index.html index.htm;
  /srv/http/etc/nginx/fpm.conf  - this is the file in the wiki that says php.conf
  location ~ \.(php|html|htm)$ {
  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
  fastcgi_index index.php;
  include fastcgi.conf;
  /etc/php/php-fpm.conf
  ; FPM Configuration ;
  ; All relative paths in this configuration file are relative to PHP's install
  ; prefix (/usr). This prefix can be dynamicaly changed by using the
  ; '-p' argument from the command line.
  ; Include one or more files. If glob(3) exists, it is used to include a bunch of
  ; files from a glob(3) pattern. This directive can be used everywhere in the
  ; file.
  ; Relative path can also be used. They will be prefixed by:
  ; - the global prefix if it's been set (-p arguement)
  ; - /usr otherwise
  ;include=/etc/php/fpm.d/*.conf
  ; Global Options ;
  [global]
  ; Pid file
  ; Note: the default prefix is /var
  ; Default Value: none
  pid = /run/php-fpm/php-fpm.pid
  ; Error log file
  ; If it's set to "syslog", log is sent to syslogd instead of being written
  ; in a local file.
  ; Note: the default prefix is /var
  ; Default Value: log/php-fpm.log
  ;error_log = log/php-fpm.log
  ; syslog_facility is used to specify what type of program is logging the
  ; message. This lets syslogd specify that messages from different facilities
  ; will be handled differently.
  ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
  ; Default Value: daemon
  ;syslog.facility = daemon
  ; syslog_ident is prepended to every message. If you have multiple FPM
  ; instances running on the same server, you can change the default value
  ; which must suit common needs.
  ; Default Value: php-fpm
  ;syslog.ident = php-fpm
  ; Log level
  ; Possible Values: alert, error, warning, notice, debug
  ; Default Value: notice
  ;log_level = notice
  ; If this number of child processes exit with SIGSEGV or SIGBUS within the time
  ; interval set by emergency_restart_interval then FPM will restart. A value
  ; of '0' means 'Off'.
  ; Default Value: 0
  ;emergency_restart_threshold = 0
  ; Interval of time used by emergency_restart_interval to determine when
  ; a graceful restart will be initiated. This can be useful to work around
  ; accidental corruptions in an accelerator's shared memory.
  ; Available Units: s(econds), m(inutes), h(ours), or d(ays)
  ; Default Unit: seconds
  ; Default Value: 0
  ;emergency_restart_interval = 0
  ; Time limit for child processes to wait for a reaction on signals from master.
  ; Available units: s(econds), m(inutes), h(ours), or d(ays)
  ; Default Unit: seconds
  ; Default Value: 0
  ;process_control_timeout = 0
  ; The maximum number of processes FPM will fork. This has been design to control
  ; the global number of processes when using dynamic PM within a lot of pools.
  ; Use it with caution.
  ; Note: A value of 0 indicates no limit
  ; Default Value: 0
  ; process.max = 128
  ; Specify the nice(2) priority to apply to the master process (only if set)
  ; The value can vary from -19 (highest priority) to 20 (lower priority)
  ; Note: - It will only work if the FPM master process is launched as root
  ; - The pool process will inherit the master process priority
  ; unless it specified otherwise
  ; Default Value: no set
  ; process.priority = -19
  ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
  ; Default Value: yes
  ;daemonize = yes
  ; Set open file descriptor rlimit for the master process.
  ; Default Value: system defined value
  ;rlimit_files = 1024
  ; Set max core size rlimit for the master process.
  ; Possible Values: 'unlimited' or an integer greater or equal to 0
  ; Default Value: system defined value
  ;rlimit_core = 0
  ; Specify the event mechanism FPM will use. The following is available:
  ; - select (any POSIX os)
  ; - poll (any POSIX os)
  ; - epoll (linux >= 2.5.44)
  ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
  ; - /dev/poll (Solaris >= 7)
  ; - port (Solaris >= 10)
  ; Default Value: not set (auto detection)
  ; events.mechanism = epoll
  ; Pool Definitions ;
  ; Multiple pools of child processes may be started with different listening
  ; ports and different management options. The name of the pool will be
  ; used in logs and stats. There is no limitation on the number of pools which
  ; FPM can handle. Your system will tell you anyway :)
  ; Start a new pool named 'www'.
  ; the variable $pool can we used in any directive and will be replaced by the
  ; pool name ('www' here)
  [www]
  ; Per pool prefix
  ; It only applies on the following directives:
  ; - 'slowlog'
  ; - 'listen' (unixsocket)
  ; - 'chroot'
  ; - 'chdir'
  ; - 'php_values'
  ; - 'php_admin_values'
  ; When not set, the global prefix (or /usr) applies instead.
  ; Note: This directive can also be relative to the global prefix.
  ; Default Value: none
  ;prefix = /path/to/pools/$pool
  ; Unix user/group of processes
  ; Note: The user is mandatory. If the group is not set, the default user's group
  ; will be used.
  user = http
  group = http
  ; The address on which to accept FastCGI requests.
  ; Valid syntaxes are:
  ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
  ; a specific port;
  ; 'port' - to listen on a TCP socket to all addresses on a
  ; specific port;
  ; '/path/to/unix/socket' - to listen on a unix socket.
  ; Note: This value is mandatory.
  ;listen = 127.0.0.1:9000
  listen = /run/php-fpm/php-fpm.sock
  ; Set listen(2) backlog.
  ; Default Value: 128 (-1 on FreeBSD and OpenBSD)
  ;listen.backlog = 128
  ; Set permissions for unix socket, if one is used. In Linux, read/write
  ; permissions must be set in order to allow connections from a web server. Many
  ; BSD-derived systems allow connections regardless of permissions.
  ; Default Values: user and group are set as the running user
  ; mode is set to 0666
  listen.owner = http
  listen.group = http
  listen.mode = 0666
  ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
  ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
  ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
  ; must be separated by a comma. If this value is left blank, connections will be
  ; accepted from any ip address.
  ; Default Value: any
  ;listen.allowed_clients = 127.0.0.1
  ; Specify the nice(2) priority to apply to the pool processes (only if set)
  ; The value can vary from -19 (highest priority) to 20 (lower priority)
  ; Note: - It will only work if the FPM master process is launched as root
  ; - The pool processes will inherit the master process priority
  ; unless it specified otherwise
  ; Default Value: no set
  ; priority = -19
  ; Choose how the process manager will control the number of child processes.
  ; Possible Values:
  ; static - a fixed number (pm.max_children) of child processes;
  ; dynamic - the number of child processes are set dynamically based on the
  ; following directives. With this process management, there will be
  ; always at least 1 children.
  ; pm.max_children - the maximum number of children that can
  ; be alive at the same time.
  ; pm.start_servers - the number of children created on startup.
  ; pm.min_spare_servers - the minimum number of children in 'idle'
  ; state (waiting to process). If the number
  ; of 'idle' processes is less than this
  ; number then some children will be created.
  ; pm.max_spare_servers - the maximum number of children in 'idle'
  ; state (waiting to process). If the number
  ; of 'idle' processes is greater than this
  ; number then some children will be killed.
  ; ondemand - no children are created at startup. Children will be forked when
  ; new requests will connect. The following parameter are used:
  ; pm.max_children - the maximum number of children that
  ; can be alive at the same time.
  ; pm.process_idle_timeout - The number of seconds after which
  ; an idle process will be killed.
  ; Note: This value is mandatory.
  pm = dynamic
  ; The number of child processes to be created when pm is set to 'static' and the
  ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
  ; This value sets the limit on the number of simultaneous requests that will be
  ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
  ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
  ; CGI. The below defaults are based on a server without much resources. Don't
  ; forget to tweak pm.* to fit your needs.
  ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
  ; Note: This value is mandatory.
  pm.max_children = 5
  ; The number of child processes created on startup.
  ; Note: Used only when pm is set to 'dynamic'
  ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
  pm.start_servers = 2
  ; The desired minimum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
  pm.min_spare_servers = 1
  ; The desired maximum number of idle server processes.
  ; Note: Used only when pm is set to 'dynamic'
  ; Note: Mandatory when pm is set to 'dynamic'
  pm.max_spare_servers = 3
  ; The number of seconds after which an idle process will be killed.
  ; Note: Used only when pm is set to 'ondemand'
  ; Default Value: 10s
  ;pm.process_idle_timeout = 10s;
  ; The number of requests each child process should execute before respawning.
  ; This can be useful to work around memory leaks in 3rd party libraries. For
  ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
  ; Default Value: 0
  ;pm.max_requests = 500
  ; The URI to view the FPM status page. If this value is not set, no URI will be
  ; recognized as a status page. It shows the following informations:
  ; pool - the name of the pool;
  ; process manager - static, dynamic or ondemand;
  ; start time - the date and time FPM has started;
  ; start since - number of seconds since FPM has started;
  ; accepted conn - the number of request accepted by the pool;
  ; listen queue - the number of request in the queue of pending
  ; connections (see backlog in listen(2));
  ; max listen queue - the maximum number of requests in the queue
  ; of pending connections since FPM has started;
  ; listen queue len - the size of the socket queue of pending connections;
  ; idle processes - the number of idle processes;
  ; active processes - the number of active processes;
  ; total processes - the number of idle + active processes;
  ; max active processes - the maximum number of active processes since FPM
  ; has started;
  ; max children reached - number of times, the process limit has been reached,
  ; when pm tries to start more children (works only for
  ; pm 'dynamic' and 'ondemand');
  ; Value are updated in real time.
  ; Example output:
  ; pool: www
  ; process manager: static
  ; start time: 01/Jul/2011:17:53:49 +0200
  ; start since: 62636
  ; accepted conn: 190460
  ; listen queue: 0
  ; max listen queue: 1
  ; listen queue len: 42
  ; idle processes: 4
  ; active processes: 11
  ; total processes: 15
  ; max active processes: 12
  ; max children reached: 0
  ; By default the status page output is formatted as text/plain. Passing either
  ; 'html', 'xml' or 'json' in the query string will return the corresponding
  ; output syntax. Example:
  ; http://www.foo.bar/status
  ; http://www.foo.bar/status?json
  ; http://www.foo.bar/status?html
  ; http://www.foo.bar/status?xml
  ; By default the status page only outputs short status. Passing 'full' in the
  ; query string will also return status for each pool process.
  ; Example:
  ; http://www.foo.bar/status?full
  ; http://www.foo.bar/status?json&full
  ; http://www.foo.bar/status?html&full
  ; http://www.foo.bar/status?xml&full
  ; The Full status returns for each process:
  ; pid - the PID of the process;
  ; state - the state of the process (Idle, Running, ...);
  ; start time - the date and time the process has started;
  ; start since - the number of seconds since the process has started;
  ; requests - the number of requests the process has served;
  ; request duration - the duration in µs of the requests;
  ; request method - the request method (GET, POST, ...);
  ; request URI - the request URI with the query string;
  ; content length - the content length of the request (only with POST);
  ; user - the user (PHP_AUTH_USER) (or '-' if not set);
  ; script - the main script called (or '-' if not set);
  ; last request cpu - the %cpu the last request consumed
  ; it's always 0 if the process is not in Idle state
  ; because CPU calculation is done when the request
  ; processing has terminated;
  ; last request memory - the max amount of memory the last request consumed
  ; it's always 0 if the process is not in Idle state
  ; because memory calculation is done when the request
  ; processing has terminated;
  ; If the process is in Idle state, then informations are related to the
  ; last request the process has served. Otherwise informations are related to
  ; the current request being served.
  ; Example output:
  ; pid: 31330
  ; state: Running
  ; start time: 01/Jul/2011:17:53:49 +0200
  ; start since: 63087
  ; requests: 12808
  ; request duration: 1250261
  ; request method: GET
  ; request URI: /test_mem.php?N=10000
  ; content length: 0
  ; user: -
  ; script: /home/fat/web/docs/php/test_mem.php
  ; last request cpu: 0.00
  ; last request memory: 0
  ; Note: There is a real-time FPM status monitoring sample web page available
  ; It's available in: ${prefix}/share/fpm/status.html
  ; Note: The value must start with a leading slash (/). The value can be
  ; anything, but it may not be a good idea to use the .php extension or it
  ; may conflict with a real PHP file.
  ; Default Value: not set
  ;pm.status_path = /status
  ; The ping URI to call the monitoring page of FPM. If this value is not set, no
  ; URI will be recognized as a ping page. This could be used to test from outside
  ; that FPM is alive and responding, or to
  ; - create a graph of FPM availability (rrd or such);
  ; - remove a server from a group if it is not responding (load balancing);
  ; - trigger alerts for the operating team (24/7).
  ; Note: The value must start with a leading slash (/). The value can be
  ; anything, but it may not be a good idea to use the .php extension or it
  ; may conflict with a real PHP file.
  ; Default Value: not set
  ;ping.path = /ping
  ; This directive may be used to customize the response of a ping request. The
  ; response is formatted as text/plain with a 200 response code.
  ; Default Value: pong
  ;ping.response = pong
  ; The access log file
  ; Default: not set
  ;access.log = log/$pool.access.log
  ; The access log format.
  ; The following syntax is allowed
  ; %%: the '%' character
  ; %C: %CPU used by the request
  ; it can accept the following format:
  ; - %{user}C for user CPU only
  ; - %{system}C for system CPU only
  ; - %{total}C for user + system CPU (default)
  ; %d: time taken to serve the request
  ; it can accept the following format:
  ; - %{seconds}d (default)
  ; - %{miliseconds}d
  ; - %{mili}d
  ; - %{microseconds}d
  ; - %{micro}d
  ; %e: an environment variable (same as $_ENV or $_SERVER)
  ; it must be associated with embraces to specify the name of the env
  ; variable. Some exemples:
  ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
  ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
  ; %f: script filename
  ; %l: content-length of the request (for POST request only)
  ; %m: request method
  ; %M: peak of memory allocated by PHP
  ; it can accept the following format:
  ; - %{bytes}M (default)
  ; - %{kilobytes}M
  ; - %{kilo}M
  ; - %{megabytes}M
  ; - %{mega}M
  ; %n: pool name
  ; %o: ouput header
  ; it must be associated with embraces to specify the name of the header:
  ; - %{Content-Type}o
  ; - %{X-Powered-By}o
  ; - %{Transfert-Encoding}o
  ; %p: PID of the child that serviced the request
  ; %P: PID of the parent of the child that serviced the request
  ; %q: the query string
  ; %Q: the '?' character if query string exists
  ; %r: the request URI (without the query string, see %q and %Q)
  ; %R: remote IP address
  ; %s: status (response code)
  ; %t: server time the request was received
  ; it can accept a strftime(3) format:
  ; %d/%b/%Y:%H:%M:%S %z (default)
  ; %T: time the log has been written (the request has finished)
  ; it can accept a strftime(3) format:
  ; %d/%b/%Y:%H:%M:%S %z (default)
  ; %u: remote user
  ; Default: "%R - %u %t \"%m %r\" %s"
  ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
  ; The log file for slow requests
  ; Default Value: not set
  ; Note: slowlog is mandatory if request_slowlog_timeout is set
  ;slowlog = log/$pool.log.slow
  ; The timeout for serving a single request after which a PHP backtrace will be
  ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
  ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
  ; Default Value: 0
  ;request_slowlog_timeout = 0
  ; The timeout for serving a single request after which the worker process will
  ; be killed. This option should be used when the 'max_execution_time' ini option
  ; does not stop script execution for some reason. A value of '0' means 'off'.
  ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
  ; Default Value: 0
  ;request_terminate_timeout = 0
  ; Set open file descriptor rlimit.
  ; Default Value: system defined value
  ;rlimit_files = 1024
  ; Set max core size rlimit.
  ; Possible Values: 'unlimited' or an integer greater or equal to 0
  ; Default Value: system defined value
  ;rlimit_core = 0
  ; Chroot to this directory at the start. This value must be defined as an
  ; absolute path. When this value is not set, chroot is not used.
  ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
  ; of its subdirectories. If the pool prefix is not set, the global prefix
  ; will be used instead.
  ; Note: chrooting is a great security feature and should be used whenever
  ; possible. However, all PHP paths will be relative to the chroot
  ; (error_log, sessions.save_path, ...).
  ; Default Value: not set
  ;chroot =
  ; Chdir to this directory at the start.
  ; Note: relative path can be used.
  ; Default Value: current directory or / when chroot
  ;chdir = /srv/http
  ; Redirect worker stdout and stderr into main error log. If not set, stdout and
  ; stderr will be redirected to /dev/null according to FastCGI specs.
  ; Note: on highloaded environement, this can cause some delay in the page
  ; process time (several ms).
  ; Default Value: no
  ;catch_workers_output = yes
  ; Limits the extensions of the main script FPM will allow to parse. This can
  ; prevent configuration mistakes on the web server side. You should only limit
  ; FPM to .php extensions to prevent malicious users to use other extensions to
  ; exectute php code.
  ; Note: set an empty value to allow all extensions.
  ; Default Value: .php
  ;security.limit_extensions = .php .php3 .php4 .php5
  security.limit_extensions = .php .html
  ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
  ; the current environment.
  ; Default Value: clean env
  ;env[HOSTNAME] = $HOSTNAME
  ;env[PATH] = /usr/local/bin:/usr/bin:/bin
  ;env[TMP] = /tmp
  ;env[TMPDIR] = /tmp
  ;env[TEMP] = /tmp
  ; Additional php.ini defines, specific to this pool of workers. These settings
  ; overwrite the values previously defined in the php.ini. The directives are the
  ; same as the PHP SAPI:
  ; php_value/php_flag - you can set classic ini defines which can
  ; be overwritten from PHP call 'ini_set'.
  ; php_admin_value/php_admin_flag - these directives won't be overwritten by
  ; PHP call 'ini_set'
  ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
  ; Defining 'extension' will load the corresponding shared extension from
  ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
  ; overwrite previously defined php.ini values, but will append the new value
  ; instead.
  ; Note: path INI options can be relative and will be expanded with the prefix
  ; (pool, global or /usr)
  ; Default Value: nothing is defined by default except the values in php.ini and
  ; specified at startup with the -d argument
  ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
  ;php_flag[display_errors] = off
  ;php_admin_value[error_log] = /var/log/fpm-php.www.log
  ;php_admin_flag[log_errors] = on
  ;php_admin_value[memory_limit] = 32M
  In php-fpm.conf I have modified the permissions to be 0666 and I am still hitting the no such file or directory. But it is created.
  ls -la /run/php-fpm/
  total 4
  drwxr-xr-x 2 root root 80 Mar 7 13:05 .
  drwxr-xr-x 17 root root 520 Mar 7 10:59 ..
  -rw-r--r-- 1 root root 4 Mar 7 13:05 php-fpm.pid
  srw-rw-rw- 1 http http 0 Mar 7 13:05 php-fpm.sock
  Not getting what I am missing here, can someone help shed some light or smack me in the correct direction. Thanks.
  edit:
  Also verified that it is for sure running in the chroot
  ps -C nginx | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done
  lrwxrwxrwx 1 root root 0 Mar 7 14:06 /proc/313/root -> /srv/http
  lrwxrwxrwx 1 http http 0 Mar 7 14:06 /proc/314/root -> /srv/http
  edit2:
  I just rebooted the box and was going over everything again to see if I missed anything or anything was not matching the wiki and the only extra info I could dig out of my box was new error in the logs relating to the nginx.pid
  2013/03/07 18:10:41 [notice] 411#0: signal process started
  2013/03/07 18:10:41 [alert] 387#0: unlink() "/run/nginx.pid" failed (13: Permission denied)
  ls -la /srv/http/run/
  total 12
  drwxr-xr-x 2 root root 4096 Mar 7 14:02 .
  d--x--x--x 9 root root 4096 Mar 7 11:07 ..
  -rw-r--r-- 1 http http 4 Mar 7 18:12 nginx.pid
  It appears to have the proper permissions and it is not in /run/
  ls -la /run/nginx.pid
  ls: cannot access /run/nginx.pid: No such file or directory
  Going to try setting it up again on another box to see if I catch what I did wrong on this one, but will be leaving this one as is to make sure I figure out what happened. Is it that my chroot is bad? That is really the only thing I can think of that is really any different than other NGINX installs I have done, which have always been on a Debian based system.
  Last edited by vwyodajl (2013-03-07 18:24:55)

  Might sound stupid, but do you have php-fpm running?
  Means, is there a php-fpm process on your box, and does the socket exist like in:
  └» ps -ef|grep php-fpm
  root 3045 1 0 Mär04 ? 00:00:09 php-fpm: master process (/etc/php/php-fpm.conf)
  http 13534 3045 0 18:22 ? 00:00:10 php-fpm: pool www
  http 13545 3045 0 18:22 ? 00:00:08 php-fpm: pool www
  http 22807 3045 0 19:46 ? 00:00:01 php-fpm: pool www
  tom 27863 28055 0 20:16 pts/1 00:00:00 grep --colour=auto php-fpm
  └» ls -l /run/php-fpm/php-fpm.sock
  srw-rw---- 1 http http 0 4. Mär 22:24 /run/php-fpm/php-fpm.sock
  EDIT: somehow missed your output regarding the php-fpm socket. Ignore above then, I have no idea about chroot, I use LXC.
  Last edited by teekay (2013-03-07 19:24:04)

• Computer Security - Level: Paranoid

  I'm working on a new install of Arch (with an eye on the possibility of moving to Gentoo) and made the decision to attempt the creation of a paranoid system on par with 1984's predictions for the future.
  So far, I have a few questions:
  1. What kernel mods are necessary? I imagine basic hardening and fine-grained access control are a given, but what exactly does that entail?
  2. I already use encryption (I've upgraded to serpent-xts-plain64 with the whirlpool hash), but what about having a hidden OS? That is, ensuring "plausible deniability?" I've heard many debates on the relative merits or lack thereof of this feature, and I've decided that I'd like to have it -- if it's possible to implement it effectively and in a way that actually works.
  3. for maintenance and performance reasons (as well as for protection against certain types of attacks) I've split /usr into a separate partition. Yes, I know this isn't standard practice, and that many don't recommend it for one reason or another. That aside, I'd like to know which filesystem would be best for /usr (this is on an SSD, mind) and what mount options should be enabled to ensure security.
  4. I already use TOR and privoxy, along with iptables to ensure that no traffic goes over the network except through TOR. Are there any other network security/anonymity practices I should implement software-wise? My browsers don't use flash or javascript, nor do they accept cookies (except for a few rare exceptions). Which reminds me, Privoxy doesn't seem to filter JS or flash, or cookies for that matter, despite the fact that I have it set to do just that... anyone know why this is?

  ParanoidAndroid wrote:1. What kernel mods are necessary? I imagine basic hardening and fine-grained access control are a given, but what exactly does that entail?
  Weeks of work. Here's a starting place: https://wiki.archlinux.org/index.php/Security
  Unfortunately, fine-grained access control for desktop applications is pretty much impossible because many of them will require access to either dbus, the X server, etc. (and you can't easily filter this access).
  ParanoidAndroid wrote:2. I already use encryption (I've upgraded to serpent-xts-plain64 with the whirlpool hash), but what about having a hidden OS? That is, ensuring "plausible deniability?" I've heard many debates on the relative merits or lack thereof of this feature, and I've decided that I'd like to have it -- if it's possible to implement it effectively and in a way that actually works.
  Unfortunately, you can't do that with cryptsetup because the (cryptsetup) author thinks the whole "plausible deniability" thing is pointless. Anyways, unless you make sure to use your non-hidden operating system frequently, it'll be kind of obvious that you're using a hidden operating system.
  ParanoidAndroid wrote:3. for maintenance and performance reasons (as well as for protection against certain types of attacks) I've split /usr into a separate partition. Yes, I know this isn't standard practice, and that many don't recommend it for one reason or another. That aside, I'd like to know which filesystem would be best for /usr (this is on an SSD, mind) and what mount options should be enabled to ensure security.
  I'm pretty sure you CAN'T do that in arch. Anyways, this is unlikely to give you any extra security.
  ParanoidAndroid wrote:4. I already use TOR and privoxy, along with iptables to ensure that no traffic goes over the network except through TOR. Are there any other network security/anonymity practices I should implement software-wise? My browsers don't use flash or javascript, nor do they accept cookies (except for a few rare exceptions). Which reminds me, Privoxy doesn't seem to filter JS or flash, or cookies for that matter, despite the fact that I have it set to do just that... anyone know why this is?
  At this point, you might want to consider using TAILS and storing everything on an encrypted USB drive.
  If you're REALLY paranoid and are willing to spend a ***TON*** of time (note, this is a rough sketch of a possible system, you'll have to fill in the details/iron out the kinks):
  1. Install a bare-bones arch system with virtualization support (as a hypervisor). DON'T enable any external facing services.
  2. Install tor/privoxy, etc... on this bare-bones system and configure this system to communicate over TOR.
  3. Install qemu.
  4. Create a VM for every "task" you expect to do. Each VM will need two separate virtual hard drives: One read-only (the base drive), one read-write (the state drive). After setting up your VM on the base virtual hard drive, you'll need to copy over any files that will need to change during normal operations (/var/log/, some /var/lib stuff, /etc/, /home, etc...) over to the rstate drive (put them anywhere you want). You'll then need to add some bootstrapping scripts to the read-only drive that correctly bind mount these mutable directories over the correct directories on the read-only drive on boot.
  5. For each task, create a couple of shell scripts:
      1. One will boot your task VM into administrative mode (making the normally read-only drive read-write). In this mode, you can update etc. Preferably, this mode wouldn't mount the state-storage drive but not doing so could cause some problems (pacman install scripts won't be able to migrate system program state from one format to another).
      2. The other will boot your task VM into normal mode. This shell script will need give the VM read-only access to the main virtual disk and read-write access to the state storage one.
  If you want to save some space, you might be able to share a single read-only main virtual disk between multiple "task" VMs.
  When you actually run these VMs, you should run each under separate users under separate X instances.
  Also, you should probably lock the hypervisor's hard drive into a read-only state on boot (after performing any upgrades/maintenance, you can do this with grsecurity). If you do this, you might even be able to use the hypervisor's hard drive as the base drive for the VMs. In this case, you wouldn't even have an administrative VM: instead, to update/install programs, you would restart and boot into a maintenance mode, install/update, and then transition into a runtime mode.
  The primary benefits to using a system like this are:
  1. The base system does very little and can therefore be more easily secured.
  2. Each "task" is run in a separate container.
  3. When in maintenance mode, the system is in a known-secure state.
  4. When operating normally, user applications (one's running in the task VMs) will have a very hard time modifying the known-secure "base" drive because the only point of failure is qemu (which is much smaller and has much simpler security checks than the linux kernel).
  Anyways, if you try to implement a system like this, let me know how it goes. Unfortunately, I don't really have time to help you do so.
  Have fun!

• JSON, Javascript, PHP and JQUERY

  Hi,
  In my earlier post, I decided to go with PHP and leave
  ASP.NET 3.5 for the time being. I now need your help in charting a
  way to learn PHP.
  I am a Web Designer and I have started using JQuery
  extensively in the websites, as I love JQuery and it makes the life
  so much easier. What I want to know from you all that :
  Q1) What is JSON and do I need to learn it if I am getting
  into PHP?
  Q2) Since, I am using JQuery, do I need to learn Javascript
  from bottom to top? Does it help to master Javascript thoroughly?
  Q3) What should be my learning path? Should I start with PHP
  or Javascript first?
  There are so many things to learn and very less time. Also,
  if you all can tell me some books (apart from David's :-)) ) which
  will help me in learning.
  Thanks to all.
  Gaurav

  gaurav_ch wrote:
  > Q1) What is JSON and do I need to learn it if I am
  getting into PHP?
  JSON is JavaScript Object Notation. It's a shorthand way of
  transmitting
  data. You don't need to know it for PHP, although PHP does
  have support
  for JSON>
  > Q2) Since, I am using JQuery, do I need to learn
  Javascript from bottom to
  > top? Does it help to master Javascript thoroughly?
  No, you don't need to learn JavaScript from bottom to top to
  use jQuery.
  However, a good understanding of JavaScript will improve your
  ability to
  use jQuery or any other JavaScript framework.
  > Q3) What should be my learning path? Should I start with
  PHP or Javascript
  > first?
  I would start with PHP first. PHP is a server-side language,
  so your
  content is delivered to all users. JavaScript is normally
  used on the
  client-side (within the browser), so the small percentage of
  people who
  browse with JavaScript disabled don't see content or effects
  delivered
  by JavaScript. It's also important to realize that search
  engines don't
  spider content that is generated by JavaScript.
  > Also, if you all can
  > tell me some books (apart from David's :-)) ) which will
  help me in learning.
  I find "Programming PHP" by Kevin Tatroe and Rasmus Lerdorf
  very useful.
  "Pro PHP Security" by Chris Snyder and Michael Southwell is
  also
  essential reading.
  For jQuery, "jQuery in Action" by Bear Bibeault and Yehuda
  Katz is
  excellent.
  David Powers, Adobe Community Expert
  Author, "The Essential Guide to Dreamweaver CS3" (friends of
  ED)
  Author, "PHP Solutions" (friends of ED)
  http://foundationphp.com/

• Good SSL & PHP Tutorial/Book

  Anybody know of a good, in-depth, but still easy to understand resource for start-to-finish ssl with php?
  Thanks!

  I don't use SSL, but "Pro PHP Security" by Chris Snyder and Michael Southwell devotes an entire chapter to the subject. Overall, it's an excellent book. It was published five years ago, but AFAIK is still up to date.

• Looking for book about building secured webpages

  Hi, I'm looking for a good book about building secured webpages, the use of SSL etc.
  Can't find much about this subject. Anyone?!
  Greetings BG

  It depends on what you wish to do and which language you wish to use (php, asp, .net, jave, etc), also which server you will be using.
  If you are new to the subject a good starting point would be a book on your preferred langages security, (e.g. PHP security, .net security), a simple search at any of the on-line book stores will deliver a long list (the newer ones are normally better as they cover the newer versions of the language).
  As for building an e-commerce system (or similar), the above books and a good book in programming generally is also helpful, (ensure it covers processing on-line payments).
  If you wish to build a 'ssl vpn', then I have found, "SSL VPN: Understanding, Evaluating and Planning Secure, Web-Based Remote Access" by  Joseph Steinberg a good start.
  HTH
  PZ

• PHP Shoutbox : stop users posting php code

  hi guys/girls
  can anyone give me an easy way to stop users on my site
  posting php code into a shoutbox.
  i have a shoutbox made up of a normal html form that posts
  their shouts to a mysql database using php.
  at the moment the only validation i have in place is the
  built in form validation dreamweaver8 has which stops
  users posting a blank post. however a user can post php code
  if they know how, which could cause problems.
  thanks
  ted.

  tedrodgers wrote:
  > i dont see how the highlight file function helps me in
  this case? please explain alittle more.
  That suggestion came from "Pro PHP Security". However,
  looking at the
  PHP manual, it should be highlight_string(), not
  highlight_file().
  http://www.php.net/manual/en/function.highlight-string.php
  How would it help? highlight_string() converts PHP code to
  HTML for
  display purposes. Once converted to HTML, it cannot be
  executed or do
  any harm to your website.
  > and what other validation do you suggest?
  Without knowing the details of your application, it's hard to
  say; but
  just checking that the text area isn't blank is no protection
  at all.
  Attackers could post spam or hot link to pornographic images.
  Two simple
  measures would be to pass the content to strip_tags() and/or
  htmlentities().
  http://www.php.net/manual/en/function.strip-tags.php
  http://www.php.net/manual/en/function.htmlentities.php
  David Powers
  Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
  Author, "Foundation PHP 5 for Flash" (friends of ED)
  http://foundationphp.com/

• My dream  ...

  I am looking for a service where my Flash/PHP video upload
  script can pass a video to a third party web service to get
  converted and then passed back to my php script to store the result
  on my server?
  My target is to convert all videos to FLV.
  I would rather use a service like the one described above
  than look for a web host provider that supplies FFMPEG to
  accomplish the conversion myself.
  Is there such a service available for pay by video converted
  via this PHP scheme? Most of my uploads will be less than 5 seconds
  in length so the pricing needs to accommodate small conversion
  jobs.
  In my mind they should provide the base Flash/PHP script that
  I can modify which includes their PHP exit to pass the file to
  their conversion service and back.
  The script should also include...
  - Flash script prompt for Userid and PW to pass to PHP
  security check to limit who can upload
  - Flash script passes variable to PHP designating where to
  write the file on the server
  - Flash script passes text to be embossed as water mark on
  the converted video.
  Thanks!
  Bob
  PS. If you don't know of such a service do you know where I
  can find a script that does this using a local instance of
  FFMPEG??

  Oh Nokia.. please come up with some thing like above with a touch screen as well
  I know there are a lot of phone's blackberries with Candy bar format and such features.. but i am particularly looking for Nokia Quality...
  24 Nokias purchased in 13 Years (since 1998)
  1 x X6, 1 x N97, 3 x E52, 2 x 5800XM, 1 x N82, 1 x 6300, 1 x 6670, 2 x 7250i, 1 x 2100, 1 x 3560, 2 x 6610, 1 x 7210, 1 x 8310, 1 x 3330, 3 x 3310, 1 x 8210, 1 x 5110

• Bullet Proof Arch System

  Hi Arch community.
  I have a VPS running Arch (its only for personal use, portfolio hosting, some storage) which i first set up exactly a month ago.
  Just like someone said on the IRC (sorry random helper, i don't remember your name, no credits today ) arch is perfectly good to go for a 24/7 system if properly set, and after some research (like discovering that xyne's almost been in jail and Allan breaks stuff on a daily basis) i concluded Arch is a good choice for the job. (Since i can handle very occasional bugs, and have time to maintain once a week)
  This whole month my Arch setup ran mainly OpenSSH, Apache, VSFTP, OpenVPN and (unsuccessfully) Postfix with near to no additional configuration, and it was completely trouble-free.
  I had even asked for help to a script kiddie to verify if he could "blow that guy's server" and he told it was impossible (lol'd hard knowing i didn't even had a firewall installed)
  And so i decided to go to the long run with it, so I'll start by building the system from the bottom with security on mind. But i think its better to ask to the more experienced than to search the web for "randobuntu" guides, and so i want to ask to the community:
  - How would you setup Arch for a computer that you physically don't possess (and don't know who does or what they do with it) that you could be comfortable to put your "super-secret-and-personal-files" on it?
  - I also would like to make a list of good security practices on a server setup (I mean, others than: "Don't use root")
  Right now i got these(With the help of https://wiki.archlinux.org/index.php/security):
  I'm thinking in 3/4 partitions:
  - /boot formatted with EXT2 [It's impossible to crypt the bootloader, am i wrong?; Should/Can i merge it to the '/'?]
  - / probably formatted with EXT4 [Should i crypt the whole thing? Will it generate too much overhead?  It's EXT4 the best for the whole setup?]
  - /var with encrypted EXT2 [Any better choice?]
  - /home being handled by Truecrypt with EXT4 format [Should i use it? Is AES-TWOFISH+Whirlpool a good pick? Truecrypt should be stronger than the kernel encryption, am i wrong?]
  - /boot, /var, /tmp and /home with nodev, nosuid and noexec. [i didn't quite understood what nosuid does]
  All of the encrypted partitions with the exception of home using Ecryptfs [Good choice? Should i stack with some other algorithm? Where should the mount parameters (password or keyfile mainly) be to be safe?]
  [How can / be encrypted without the password being in clear text on /boot?]
  Which bootloader should be used to ensure safety, and how will it be ensured on a remote system?
  On the wiki there is:
  ArchWiki wrote:It is highly important to protect your bootloader. There is a magic kernel parameter called init=/bin/sh. This makes any user/login restrictions totally useless.
  What does this?
  The used kernel should be the linux-lts or linux-selinux (https://aur.archlinux.org/packages/linux-selinux/)?
  I think that SELinux is a bonus, but the AUR package is... an AUR package (i would like to avoid them when possible) and it is not even an LTS kernel.
  For the firewall I'm thinking in using UFW since it's much simpler than configuring directly iptables and does the same job.
  Everything blocked except the ports 20,21,25,80,143,443,465,587,993,{unknown SSH and VPS ports}/tcp and 53/udp for incoming. What about outgoing?
  Also
  chmod 700 /boot /etc/{iptables,arptables}
  Every possible network service having its own fingerprint as removed as possible [Eg. Just "Apache" instead of "Apache x.x.x mod_something Unknown GNU/Linux x86_64... etc"]
  SSH with root login disabled, and rejecting connections from anywhere else than server's own ip.(A VPN should be used to use SSH)
  Also set a login timeout with bash "TMOUT" and disable login to accounts after 3 failed login attempts.
  Use sudo to administer, only allowing one or certain users to execute the programs that may harm the system, if possible users with uncommon names instead of "admin".
  Login with certificates instead of a password.
  VSFTP and Postfix with virtual users and system users disabled. [Good idea?]
  I think OpenVPN is always safe since it enforces CA's to auth. Right?
  What MAC should be used? SELinux? [I understand almost nothing about them]
  After all there measures, would you guys trust this system for your files?
  What can the ISP/Goverment do that ignores all of those measures? Directly reading RAM looking for filesystem passoword? Replace the kernel with one containing a rootkit?
  Any other ways to break this?
  PS: Xyne's and Allan's thing was an obvious joke
  Last edited by ClaudioP (2013-12-26 07:23:02)

  Leonid.I wrote:Typical encryption schemes when /boot is stored on the same HDD as the encrypted root are flawed. Indeed, if the kernel and initramfs are not encrypted, I can replace them and leak your encryption key. Therefore, for the system encryption to be effective (i.e. not only protect your data if the system is stolen, but also protect the system from unauthorised physical access), you must separate kernel and bootloader from the system, and store them in a safe place.
  Then encryption just becomes useless after all, unless the files are encrypted on a different computer.
  How could /boot be on a different computer? Can I boot with the /boot partition on a network? Like if it was PXE/NFS?
  Leonid.I wrote:
  ClaudioP wrote:All of the encrypted partitions with the exception of home using Ecryptfs [Good choice? Should i stack with some other algorithm? Where should the mount parameters (password or keyfile mainly) be to be safe?]
  No. If the underlying partition is encrypted, what's the point of ecryptfs?
  I saw somewhere on the wiki that there are setups with two layers of encryption. I don't know its effectiveness.
  Leonid.I wrote:[...] a properly encrypted installation, doesn't even have a bootloader.
  Forgive the noob question, but how can a system be booted without bootloader? Can MBR be linked directly to the kernel? Whats the difference?
  Leonid.I wrote:If you can't learn iptables, don't try to secure the system.
  I've read somewhere that in the close future iptables will be replaced(don't know when nor whats the replacement). I don't want to spend loads of time on something temporary.
  And whats the difference between using iptables and UFW and Iptables? Doesn't UFW uses iptables? Sorry if im the kind on newbie who just knows the basics (65k ports, in and out)
  Leonid.I wrote:Nmap can do a deep portscan of all 2^16 ports in less than 3min, so messing with default ports will only give you a headache when administering the system.
  My bad. I was thinking of doing it in the services only accessible by the VPN, but then there would be no point on doing it
  Leonid.I wrote:Before making everything 600 root:root, ask yourself what would an attacker learn from your iptables.rules and ssd_config? That you block certain ports and have ssh login grace time 30sec? A good security doesn't rely on secrecy of the configuration.
  I was basing myself on what i found on the wiki. What you said makes sense.
  By the way, whats best to do with rejected connections? Deny them or reject them?
  Leonid.I wrote:Any attacker with more than 2 neurons will try to exploit all known vulnerabilities in the last 10 versions of Apache. If you know that your service is vulnerable, patch it, don't try to hide.
  But there aren't many more in use counting with backports and between every distro? (Not to mention that Arch is a very uncommon distro for a server)
  Leonid.I wrote:
  ClaudioP wrote:SSH with root login disabled, and rejecting connections from anywhere else than server's own ip.(A VPN should be used to use SSH)
  Also set a login timeout with bash "TMOUT" and disable login to accounts after 3 failed login attempts.
  Right, no root over SSH -- this is common wisdom. May I ask why is SSH root login bad? Because some blogger said so? Create a 4096 bit ssh key with a passphrase and use it exclusively for system administration.
  Also, why 3 attemtps and not 1? Are you trying to hide an unfolding attack from yourself? If I am running am internet-facing server, I want to be able to profile an attack. For example, if you see login attempts with login/passwd pairs root/root or ubuntu/ubuntu -- this is a kid -- pay attention but not too much. If the passwords are more complicated, you might have a problem...
  But then if for some reason the key is intercepted there would be a free access to the privileged account, not for some unprivileged account that would have to use su to become root.
  Oh i see, the 3 attempts were meant for a multi-user system with common passwords, not for someone using cryptographic keys.
  Why would the complicated password mean something bad? Couldn't be an idiot try of brute-force?(IDK, some dumb program that doesn't starts with 0 or A)
  What else could the "complicated passwords" mean? Give an example please.
  Leonid.I wrote:Just because using sudo for priviledge escalation is a folk knowledge doesn't make it right. But if you are going to use it, read this first:
  http://www.openwall.com/lists/owl-users/2004/10/20/6 .
  I partially understood it. Not fully since English is not my mother language, but mostly.
  Leonid.I wrote:
  ClaudioP wrote:After all there measures, would you guys trust this system for your files?
  No.
  Moral after all: Never(some emphasis on NEVER) trust a remote system to encrypt your files in safety
  Leonid.I wrote:
  ClaudioP wrote:Any [...] ways to break this?
  [...]The question which you should ask is whether the hassle of breaking your security is worth stealing your SSN and $20K in your bank account.
  Then nobody receiving less than 1k$ a month or doing anti-government propaganda would be affected by the NSA and the other well known parties.
  I'm not too much into the topic, but AFAIK(which is not certain to be right) there are much more people affected.
  /dev/zero wrote:No security system is perfect. You need to consider the costs of your time, effort and money and weigh them against the risks of various kinds of attacks.
  Right now (since it's impossible to prevent against against physical attacks) I'll forget about local encryption, it just becomes useless. I'll just encrypt personal files before upload.
  By the way, is there any encryption utility that works file by file and not with a container? I don't want to upload the entire container every time i change something.
  ewaller wrote:Well, one can slow them down a bit: http://en.wikipedia.org/wiki/Hardware_security_module
  Sorry but the hardware is not mine and i am not rich
  If i was i would not be concerning about security

• Dreamweaver Form Won't Submit- Says Error page cannot be displayed

  My dreamweaver form won't submit because it says there is an error. Am I doing something wrong? I don't know much about forms and how they submit but I heard that in order for their to be a confirmation page I have to create a php page? Here's my code. Thanks!
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <title>Rental and Availability Information</title>
  <style type="text/css">
  <!--
  @import url("CSS Styles/ThankYou.css");
  .style18 {font-size: 16px; font-weight: bold; }
  .style21 {color: #FFFFFF}
  .style42 {
  font-size: 16px;
  color: #000000;
  font-family: Garamond;
  a:link {
  color: #000000;
  .style43 {
  font-family: Garamond;
  color: #FFFFFF;
  font-weight: bold;
  .style44 {
  font-family: Georgia, "Times New Roman", Times, serif;
  font-size: large;
  -->
  </style>
  <link href="CSS Styles/ActivBorder.css" rel="stylesheet" type="text/css" />
  <link href="CSS Styles/border.css" rel="stylesheet" type="text/css" />
  <style type="text/css">
  <!--
  .style50 {
  font-family: "Goudy Old Style";
  font-weight: bold;
  font-size: 24px;
  color: #FFFFFF;
  .style57 {font-family: Verdana, Arial, Helvetica, sans-serif}
  .style58 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 14px; }
  -->
  </style>
  </head>
  <body>
  <form id="form2" name="form2" method="post" action="inquiryreceipt.html">
    <table width="556" border="0" align="center" cellspacing="0" bgcolor="#003366" class="ImageBorder">
      <tr>
        <td colspan="3" valign="top"><div align="center" class="style50"><u>Rental and Availability Information</u></div></td>
      </tr>
      <tr>
        <td width="189"><div align="right" class="style18 style57"><span class="style21">Name:</span></div></td>
        <td colspan="2"><input name="name" type="text" id="name" size="50" maxlength="100" /></td>
      </tr>
      <tr>
        <td><div align="right" class="style18 style57"><span class="style21">Property of Interest: </span></div></td>
        <td colspan="2"><label>
          <select name="property" size="1" id="property">
            <option>Butte Creek</option>
            <option>Casa De Ladrillo</option>
            <option>Collins Island</option>
            <option>The Crosby Estate</option>
            <option>Kailua Beach</option>
            <option>Keefer Ranch</option>
            <option>Koko Head</option>
            <option>Rancho Mirage</option>
            <option>San Diego Luxury High Rise</option>
            <option>Santiago Canyon</option>
            <option>South Lake Tahoe</option>
          </select>
        </label></td>
      </tr>
      <tr>
        <td><div align="right" class="style18 style57"><span class="style21">Dates:</span></div></td>
        <td width="83" align="right" bgcolor="#003366"><div align="right" class="style58">
          <div align="right"><span class="style21">Arrival:</span></div>
        </div></td>
        <td width="270" align="left" bgcolor="#003366" class="FormBorder"><strong>
          <select name="smonth" id="smonth">
            <option>Month</option>
            <option value="January">January</option>
            <option value="February">February</option>
            <option value="March">March</option>
            <option value="April">April</option>
            <option value="May">May</option>
            <option value="June">June</option>
            <option value="July">July</option>
            <option value="August">August</option>
            <option value="Semptember">September</option>
            <option value="Octover">October</option>
            <option value="November">November</option>
            <option value="December">December</option>
          </select>
          <select name="select" id="select">
            <option>Day</option>
            <option value="1">1</option>
            <option value="2">2</option>
            <option value="3">3</option>
            <option value="4">4</option>
            <option value="5">5</option>
            <option value="6">6</option>
            <option value="7">7</option>
            <option value="8">8</option>
            <option value="9">9</option>
            <option value="10">10</option>
            <option value="11">11</option>
            <option value="12">12</option>
            <option value="13">13</option>
            <option value="14">14</option>
            <option value="15">15</option>
            <option value="16">16</option>
            <option value="17">17</option>
            <option value="18">18</option>
            <option value="19">19</option>
            <option value="20">20</option>
            <option value="21">21</option>
            <option value="22">22</option>
            <option value="23">23</option>
            <option value="24">24</option>
            <option value="25">25</option>
            <option value="26">26</option>
            <option value="27">27</option>
            <option value="28">28</option>
            <option value="29">29</option>
            <option value="30">30</option>
            <option value="31">31</option>
          </select>
          <strong><strong>
          <select name="select2" id="select2">
            <option>Year</option>
            <option value="2002">2002</option>
            <option value="2003">2003</option>
            <option value="2004">2004</option>
            <option value="2005">2005</option>
            <option value="2006">2006</option>
            <option value="2007">2007</option>
            <option value="2003">2008</option>
          </select>
          </strong></strong>      </strong>       
        <div align="left"></div>      <div align="left"></div></td>
      </tr>
      <tr>
        <td><span class="style57"></span></td>
        <td bgcolor="#003366"><div align="right" class="style58">
          <div align="right"><span class="style21">Departure:</span></div>
        </div></td>
        <td align="left" valign="middle" bgcolor="#003366" class="FormBorder"><strong>
          <select name="smonth" id="smonth">
            <option>Month</option>
            <option value="January">January</option>
            <option value="February">February</option>
            <option value="March">March</option>
            <option value="April">April</option>
            <option value="May">May</option>
            <option value="June">June</option>
            <option value="July">July</option>
            <option value="August">August</option>
            <option value="Semptember">September</option>
            <option value="Octover">October</option>
            <option value="November">November</option>
            <option value="December">December</option>
          </select>
          <select name="sday" id="sday">
            <option>Day</option>
            <option value="1">1</option>
            <option value="2">2</option>
            <option value="3">3</option>
            <option value="4">4</option>
            <option value="5">5</option>
            <option value="6">6</option>
            <option value="7">7</option>
            <option value="8">8</option>
            <option value="9">9</option>
            <option value="10">10</option>
            <option value="11">11</option>
            <option value="12">12</option>
            <option value="13">13</option>
            <option value="14">14</option>
            <option value="15">15</option>
            <option value="16">16</option>
            <option value="17">17</option>
            <option value="18">18</option>
            <option value="19">19</option>
            <option value="20">20</option>
            <option value="21">21</option>
            <option value="22">22</option>
            <option value="23">23</option>
            <option value="24">24</option>
            <option value="25">25</option>
            <option value="26">26</option>
            <option value="27">27</option>
            <option value="28">28</option>
            <option value="29">29</option>
            <option value="30">30</option>
            <option value="31">31</option>
          </select>
          <strong> <strong><strong>
          <select name="syear" id="syear">
            <option>Year</option>
            <option value="2002">2002</option>
            <option value="2003">2003</option>
            <option value="2004">2004</option>
            <option value="2005">2005</option>
            <option value="2006">2006</option>
            <option value="2007">2007</option>
            <option value="2003">2008</option>
          </select>
          </strong></strong></strong>      </strong></td>
      </tr>
      <tr>
        <td><div align="right" class="style18 style57"><span class="style21">Email:</span></div></td>
        <td colspan="2"><input name="email" type="text" id="email" size="50" maxlength="50" /></td>
      </tr>
      <tr>
        <td><div align="right" class="style18 style57"><span class="style21">Phone: </span></div></td>
        <td colspan="2"><input name="phone" type="text" id="phone" size="30" maxlength="30" /></td>
      </tr>
      <tr>
        <td height="204" valign="top" bgcolor="#003366"><div align="right" class="style18 style57"><span class="style21">Additional Info: </span></div></td>
        <td colspan="2" bgcolor="#003366"><label>
          <textarea name="info" cols="40" rows="10" id="info"></textarea>
        </label></td>
      </tr>
      <tr bgcolor="#660000" class="FormBorder">
        <td height="33" valign="middle" bgcolor="#003366"><label for="Submit"></label>
            <label for="label3"></label></td>
        <td colspan="2" align="center" valign="middle" bgcolor="#003366"><div align="left">
            <input type="reset" name="Reset" value="Clear" id="Submit" />
            <input type="submit" name="Submit" value="Submit" id="label3" />
        </div></td>
      </tr>
      <tr bgcolor="#660000" class="FormBorder">
        <td height="33" valign="middle" bgcolor="#003366"><div align="left" class="style43"><span class="style29 style44"><strong>&laquo;</strong></span> <a href="Index.html" class="style60"><span class="style61 style21"><u>HOME</u></span></a></div></td>
        <td colspan="2" align="center" valign="middle" bgcolor="#003366"> </td>
      </tr>
    </table>
    <div align="center"><span class="style42">&copy;<strong><a href="Index.html">TheBestSpots.com</a>   Phone: (800) 761-9819 Fax: (949) 851-0450 <a href="mailto:[email protected]"><br />
    [email protected]</a></strong></span>  </div>
  </form>
  </body>
  </html>

  I believe my it guys have php on their server. When I look on the internet
  to try and use the form to test it, I get the error:
  The website cannot display the page
  HTTP 500
  Most likely causes:
  The website is under maintenance.
  The website has a programming error.
  What you can try:
  Refresh the page.
  Go back to the previous page.
  Here's one php code I have linked to one of my documents:
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <title>Untitled Document</title>
  <style type="text/css">
  <!--
  .ThankYou {
  background-attachment: fixed;
  background-repeat: no-repeat;
  background-position: center center;
  border: thick dotted #660033;
  font-family: "Times New Roman", Times, serif;
  font-size: 24px;
  font-weight: bold;
  color: #660033;
  font-style: italic;
  background-color: #FFFFFF;
  .style3 {
  font-size: 18px;
  font-style: italic;
  font-weight: bold;
  font-family: Georgia, "Times New Roman", Times, serif;
  color: #000066;
  .style4 {font-size: 30px}
  a:link {
  color: #000066;
  a:visited {
  color: #000000;
  a:hover {
  color: #000000;
  a:active {
  color: #000000;
  -->
  </style>
  </head>
  <body>
  <div align="center">
    <table width="780" height="150" border="1" class="ThankYou">
      <tr>
        <td valign="middle"><div align="center">
          <p class="style4">Thank You For Submitting Your Comments!</p>
          <p>-The Best Spots<br />
            Luxury Vacation Rentals</p>
        </div></td>
      </tr>
    </table>
    <p align="left"><img src="BOPIcon copy.gif" alt="BirdOfParadise" width="36" height="36" /><span class="style3"><a href="Index.html">TheBestSpots.com </a></span></p>
  </div>
  <p>
    <?php
  $txtToAddr = '[email protected]' ;
     $txtSubj = 'Guest Comment From '. $_POST['fname'] . ' ' .  $_POST['lname'] . ' email '. $_POST['email'] . ' Property' . $_POST['property'] ;
  $txtFromAddr = $_POST['email'];
  $txtBody = $startdate = $_POST['smonth']  .  $_POST['sday'] . $_POST['syear'] . ' ' . $enddate = $_POST['emonth'] . $_POST['eday'] . $_POST['eyear'] . ' ' . $_POST['comments'] ;
     $headers = 'From: '. $txtFromAddr . "\r\n" .
      'Reply-To: ' . $txtFromAddr . "\r\n" .
      'X-Mailer: PHP/' . phpversion();
      // echo " Thank you for you request. You will be contacted within 1 business day."; 
      mail( "$txtToAddr", "$txtSubj", "$txtBody", "$headers");
  ?>
  </p>
  <p> </p>
  <p>  </p>
  </body>
  </html>
  And here's the other php code I have linked to the other:
  <?php
  $FM_VERS = "8.05";      // script version
  /* ex:set ts=4 sw=4 et:
  * FormMail PHP script from Tectite.com.  This script requires PHP 4 or later.
  * Copyright (c) 2001-2008 Root Software and Open Concepts Pty Ltd
  * (ABN 93 003 733 499), Melbourne, Australia.
  * This script is free for all use as described in the "Copying and Use" and
  * "Warranty and Disclaimer" sections below.
  * Visit us at http://www.tectite.com/ for updates and more information.
  *** If you use Tectite FormMail, please support its development and other
  *** freeware products by putting the following link on your website:
  ***  Visit www.tectite.com for free <a href="http://www.tectite.com/">form processing script</a>.
  * Author: Russell Robinson, 2nd October 2001
  * Last Modified: RR 14:07 Wed 15 August 2007
  * QVCS Version: $Revision: 1.4 $
  * Read This First
  * ~~~~~~~~~~~~~~~
  *  This script is very well documented and quite large!  It looks daunting,
  *  but really isn't.
  *  If you have experience with PHP or other scripting languages,
  *  here's what you *need* to read:
  *      - Configuration (TARGET_EMAIL & DEF_ALERT)
  *      - Creating Forms
  *  That's it!  (Alternatively, just read the Quick Start and/or
  *  Quicker Start section below).
  *  Full configuration documentation is here:
  *      http://www.tectite.com/fmdoc/index.php
  * Purpose:
  * ~~~~~~~~
  *  To accept information from an HTML form via HTTP and mail it to recipients.
  * What does this PHP script do?
  * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  *  On your web site, you may have one or more HTML forms that accept
  *  information from people visiting your website.  Your aim is for your
  *  website to email that information to you and/or add it to a database.
  *  FormMail performs those functions.
  * Quick Start
  * ~~~~~~~~~~~
  *  1. Edit this file and set TARGET_EMAIL for your requirements (near
  *      line 235 in this file - replace "yourhost\.com" with your mail server's
  *      name).  We also strongly recommend you set DEF_ALERT (the next
  *      configuration below TARGET_EMAIL).
  *  2. Install this file as formmail.php (or other name ending in .php)
  *     on your web server.
  *  3. Create an HTML form and:
  *      - specify a hidden field called "recipients" with the email address
  *        of the person to receive the form's results.
  *      - in the your form tag set the action attribute to
  *        the formmail.php you uploaded to your web server
  *  Once you have FormMail working, you may be interested in some advanced
  *  usage and features.  We have HOW-TO guides at www.tectite.com which
  *  describe many of the advanced processing you can do with FormMail.
  *      http://www.tectite.com/fmhowto/guides.php
  * Quicker Start
  * ~~~~~~~~~~~~~
  *  Use the FormMail Configuration Wizard here:
  *      http://www.tectite.com/wizards/fmconf.php
  *  By answering a few questions you'll get a configured FormMail and
  *  a sample HTML form ready to upload and use on your server.
  * Features
  * ~~~~~~~~
  *  For a list of features go to: http://www.tectite.com/formmailpage.php
  * Security
  * ~~~~~~~~
  *  Security is the primary concern in accepting data from your website
  *  visitors.
  *  Tectite FormMail has several security features designed into it.  Note,
  *  however, it requires configuration for your particular web site.
  * Configuration
  * ~~~~~~~~~~~~~
  *  To configure this script, go to the section titled "CONFIGURATION"
  *  (after reading the legal stuff below).
  *  There is only one mandatory setting: TARGET_EMAIL
  *  and one strongly recommended setting: DEF_ALERT
  *  Full configuration information is available here:
  *      http://www.tectite.com/fmdoc/index.php
  * Creating Forms
  * ~~~~~~~~~~~~~~
  *  Go to this URL to learn how to write HTML forms for use with
  *  Tectite FormMail: http://www.tectite.com/fmdoc/creating_forms.php
  * Copying and Use
  * ~~~~~~~~~~~~~~~
  *  Tectite FormMail is provided free of charge and may be freely distributed
  *  and used provided that you:
  *      1. keep this header, including copyright and comments,
  *         in place and unmodified; and,
  *      2. do not charge a fee for distributing it, without an agreement
  *         in writing with Root Software allowing you to do so; and,
  *      3. if you modify FormMail before distributing it, you clearly
  *         identify:
  *              a) who you are
  *              b) how to contact you
  *              c) what changes you have made
  *              d) why you have made those changes.
  * Warranty and Disclaimer
  * ~~~~~~~~~~~~~~~~~~~~~~~
  *  Tectite FormMail is provided free-of-charge and with ABSOLUTELY NO WARRANTY.
  *  It has not been verified for use in critical applications, including,
  *  but not limited to, medicine, defense, aircraft, space exploration,
  *  or any other potentially dangerous activity.
  *  By using Tectite FormMail you agree to indemnify Root Software and
  *  Open Concepts Pty Ltd, their agents, employees, directors and
  *  associated companies and businesses from any liability whatsoever.
  * We still care
  * ~~~~~~~~~~~~~
  *  If you find a bug or fault in FormMail, please report it to us.
  *  We will respond to your report and make endeavours to rectify any
  *  faults you've detected as soon as possible.
  *  To contact us please register on our forums at:
  *      http://www.tectite.com/vbforums/
  *  or view our contact information:
  *      http://www.tectite.com/contacts.php
  * Version History
  * ~~~~~~~~~~~~~~~
  *  Near the top of this file, you'll find its version. The version
  *  line looks like this:
  *       $FM_VERS = "N.MM";     /* script version ...
  *  The version history used to be located within this file.  However,
  *  starting with Version 8.00 we've moved it...
  *  You can read the complete version history of FormMail on our
  *  main website here:
  *   http://www.tectite.com/fmdoc/version_history.php
      // Capture the current date and time, for various purposes.
  $lNow = time();
  set_magic_quotes_runtime(0);        // disable this silly setting (usually not enabled)
  ini_set('track_errors',1);          // enable $php_errormsg
  $aAlertInfo = array();
  $aPHPVERSION = array();
  $sLangID = "";                      // the language ID
  $aMessages = array();               // all FormMail messages in the appropriate
                                      // language
  $bUseOldVars = IsOldVersion($aPHPVERSION);
      // seed the random number generate if not version 4.2.0 or later
  if (!IsPHPAtLeast("4.2.0"))
      mt_srand(time());
      // we set references to the appropriate arrays to handle PHP version differences
      // Session vars are selected after we start the session.
  if ($bUseOldVars)
      $aServerVars = &$HTTP_SERVER_VARS;
      $aGetVars = &$HTTP_GET_VARS;
      $aFormVars = &$HTTP_POST_VARS;
      $aFileVars = &$HTTP_POST_FILES;
      $aEnvVars = &$HTTP_ENV_VARS;
  else
      $aServerVars = &$_SERVER;
      $aGetVars = &$_GET;
      $aFormVars = &$_POST;
      $aFileVars = &$_FILES;
      $aEnvVars = &$_ENV;
  $bIsGetMethod = false;
      // If the form submission was using the GET method, switch to the
      // GET vars instead of the POST vars
  if (isset($aServerVars["REQUEST_METHOD"]) && $aServerVars["REQUEST_METHOD"] === "GET")
      $bIsGetMethod = true;
      if ($bUseOldVars)
          $aFormVars = &$HTTP_GET_VARS;
      else
          $aFormVars = &$_GET;
  if (!isset($REAL_DOCUMENT_ROOT))
      SetRealDocumentRoot();
  if (isset($aServerVars['SERVER_PORT']))
      $SCHEME = ($aServerVars['SERVER_PORT'] == 80) ? "http://" : "https://";
  else
      $SCHEME = "";
  if (isset($aServerVars['SERVER_NAME']))
      $SERVER = $aServerVars['SERVER_NAME'];
  else
      $SERVER = "";
  /* CONFIGURATION (do not alter this line in any way!!!)                      */
  * This is the *only* place where you need to modify things to use formmail.php
  * on your particular system.  This section finishes at "END OF CONFIGURATION".
  * Help for all settings can be found on our website:
  *  http://www.tectite.com/fmdoc/index.php
  * Also, above each setting is a direct URL to the help information for the
  * setting.
              /* Help: http://www.tectite.com/fmdoc/email_name.php */
  define("EMAIL_NAME","^[-a-z0-9.]+");    // the '^' is an important security feature!
              /* Help: http://www.tectite.com/fmdoc/target_email.php */
  $TARGET_EMAIL = array(EMAIL_NAME."@thebestspots\.com$");
              /* Help: http://www.tectite.com/fmdoc/def_alert.php */
  define("DEF_ALERT","[email protected]");
              /* Help: http://www.tectite.com/fmdoc/set_real_document_root.php */
  $SET_REAL_DOCUMENT_ROOT = "";       // overrides the value set by SetRealDocumentRoot function
      // override $REAL_DOCUMENT_ROOT from the $SET_REAL_DOCUMENT_ROOT value (if any)
      // Do not alter the following code (next 3 lines)!
  if (isset($SET_REAL_DOCUMENT_ROOT) && $SET_REAL_DOCUMENT_ROOT !== "")
      $REAL_DOCUMENT_ROOT = $SET_REAL_DOCUMENT_ROOT;
              /* Help: http://www.tectite.com/fmdoc/config_check.php */
  $CONFIG_CHECK = array("TARGET_EMAIL");
              /* Help: http://www.tectite.com/fmdoc/at_mangle.php */
  define("AT_MANGLE","5VLNXQL");
              /* Help: http://www.tectite.com/fmdoc/target_urls.php */
  $TARGET_URLS = array();         // default; no URLs allowed
              /* Help: http://www.tectite.com/fmdoc/head_crlf.php */
  define("HEAD_CRLF","\r\n");
              /* Help: http://www.tectite.com/fmdoc/body_lf.php */
  define("BODY_LF","\r\n");       // the new default: use this for CR+LF
  //define("BODY_LF","\n");       // the old default: just LF
              /* Help: http://www.tectite.com/fmdoc/from_user.php */
  $FROM_USER = "";                            // the default - setting not used
              /* Help: http://www.tectite.com/fmdoc/sendmail_f_option.php */
  define("SENDMAIL_F_OPTION",false);
  define("SENDMAIL_F_OPTION_LINE",__LINE__-1);    // don't modify this line!
              /* Help: http://www.tectite.com/fmdoc/fixed_sender.php */
  $FIXED_SENDER = "";
              /* Help: http://www.tectite.com/fmdoc/set_sender_from_email.php */
  define("SET_SENDER_FROM_EMAIL",false);
              /* Help: http://www.tectite.com/fmdoc/ini_set_from.php */
  define("INI_SET_FROM",false);
              /* Help: http://www.tectite.com/fmdoc/logdir.php */
  $LOGDIR = "";                           // directory for log files; empty string to
                                          // disallow log files
              /* Help: http://www.tectite.com/fmdoc/autorespondlog.php */
  $AUTORESPONDLOG = "";           // file name in $LOGDIR for the auto responder
                                  // log; empty string for no auto responder log
              /* Help: http://www.tectite.com/fmdoc/csv_file_settings.php */
  $CSVDIR = "";                       // directory for csv files; empty string to
                                      // disallow csv files
  $CSVSEP = ",";      // comma separator between fields (columns)
  $CSVINTSEP = ";";   // semicolon is the separator for fields (columns)
                      // with multiple values (checkboxes, etc.)
  $CSVQUOTE = '"';    // all fields in the CSV are quoted with this character;
                      // default is double quote.  You can change it to
                      // single quote or leave it empty for no quotes.
  //$CSVQUOTE = "'";  // use this if you want single quotes
  $CSVOPEN = "";      // set to "b" to force line terminations to be
                      // kept as $CSVLINE setting below, regardless of
                      // operating system.  Keep as empty string and
                      // leave $CSVLINE unchanged, to get text file
                      // terminations for your server's operating system.
                      // (Line feed on UNIX, carriage-return line feed on Windows).
  $CSVLINE = "\n";    // line termination for CSV files.  The default is
                      // a single line feed, which may be modified for your
                      // server's operating system.  If you want to change
                      // this value, you *must* set $CSVOPEN = "b".
              /* Help: http://www.tectite.com/fmdoc/templatedir.php */
  $TEMPLATEDIR = "";                  // directory for template files; empty string
                                      // if you don't have any templates
              /* Help: http://www.tectite.com/fmdoc/templateurl.php */
  $TEMPLATEURL = "";                  // default; no template URL
              /* Help: http://www.tectite.com/fmdoc/multiformdir.php */
  $MULTIFORMDIR = "";         // directory for multi-form template files; empty string
                              // if you're not using multi-forms
              /* Help: http://www.tectite.com/fmdoc/multiformurl.php */
  $MULTIFORMURL = "";                 // default; no multi-forms templates URL
              /* Help: http://www.tectite.com/fmdoc/authentication_settings.php */
  $AUTHENTICATE = "";
  //$AUTHENTICATE = "Basic cnVzc2VsbHI6dGVzdA==";        // example
  $AUTH_USER = "";
  $AUTH_PW = "";
              /* Help: http://www.tectite.com/fmdoc/form_ini_file.php */
  $FORM_INI_FILE = "";
              /* Help: http://www.tectite.com/fmdoc/moduledir.php */
  $MODULEDIR = ".";
              /* Help: http://www.tectite.com/fmdoc/fmcompute.php */
  $FMCOMPUTE = "fmcompute.php";
              /* Help: http://www.tectite.com/fmdoc/fmgeoip.php */
  $FMGEOIP = "fmgeoip.php";
              /* Help: http://www.tectite.com/fmdoc/advanced_templates.php */
  define("ADVANCED_TEMPLATES",false);     // set to true for advanced templates
              /* Help: http://www.tectite.com/fmdoc/limited_import.php */
  define("LIMITED_IMPORT",true);      // set to true if your database cannot
                                      // handle escaped quotes or newlines within
                                      // imported data.  Microsoft Access is one
                                      // example.
              /* Help: http://www.tectite.com/fmdoc/valid_env.php */
  $VALID_ENV = array('HTTP_REFERER','REMOTE_HOST','REMOTE_ADDR','REMOTE_USER',
                  'HTTP_USER_AGENT');
              /* Help: http://www.tectite.com/fmdoc/fileuploads.php */
  define("FILEUPLOADS",false);        // set to true to allow file attachments
              /* Help: http://www.tectite.com/fmdoc/max_file_upload_size.php */
  define("MAX_FILE_UPLOAD_SIZE",0);       // default of 0 means that other software
                                          // controls the maximum file upload size
                                          // (FormMail doesn't test the file size)
              /* Help: http://www.tectite.com/fmdoc/file_repository.php */
  $FILE_REPOSITORY = "";
              /* Help: http://www.tectite.com/fmdoc/file_mode.php */
  define("FILE_MODE",0664);     // always precede with 0 to specify octal!
              /* Help: http://www.tectite.com/fmdoc/file_overwrite.php */
  define("FILE_OVERWRITE",true);
              /* Help: http://www.tectite.com/fmdoc/next_num_file.php */
  $NEXT_NUM_FILE = "";
              /* Help: http://www.tectite.com/fmdoc/put_data_in_url.php */
  define("PUT_DATA_IN_URL",true); // set to true to place data in the URL
                                      // for bad_url redirects
              /* Help: http://www.tectite.com/fmdoc/db_see_input.php */
  define("DB_SEE_INPUT",false);       // set to true to just see the input values
              /* Help: http://www.tectite.com/fmdoc/db_see_ini.php */
  define("DB_SEE_INI",false);     // set to true to just see the ini file
              /* Help: http://www.tectite.com/fmdoc/maxstring.php */
  define("MAXSTRING",1024);           // maximum string length for a value
              /* Help: http://www.tectite.com/fmdoc/bshowmesgnumbers.php */
  $bShowMesgNumbers = false;
              /* Help: http://www.tectite.com/fmdoc/filters.php */
              /* Note for Tectite personnel: the upgrade Wizard will merge new values
               * but be careful of $var usage and quoting in new entries.
  $FILTERS = array("encode"=>"$REAL_DOCUMENT_ROOT/cgi-bin/fmencoder -kpubkey.txt",
                  "null"=>"null",
                  "csv"=>"csv");
              /* Help: http://www.tectite.com/fmdoc/socket_filters.php */
  $SOCKET_FILTERS = array(
                   "httpencode"=>array("site"=>"YourSiteHere",
                      "port"=>80,
                      "path"=>"/cgi-bin/fmencoder",
                      "params"=>array(array("name"=>"key",
                              "file"=>"$REAL_DOCUMENT_ROOT/cgi-bin/pubkey.txt"))),
                   "sslencode"=>array("site"=>"ssl://YourSecureSiteHere",
                      "port"=>443,
                      "path"=>"/cgi-bin/fmencoder",
                      "params"=>array(array("name"=>"key",
                              "file"=>"$REAL_DOCUMENT_ROOT/cgi-bin/pubkey.txt"))),
              /* Help: http://www.tectite.com/fmdoc/filter_attribs.php */
  $FILTER_ATTRIBS = array("encode"=>"Strips,MIME=application/vnd.fmencoded,Encrypts",
                          "httpencode"=>"Strips,MIME=application/vnd.fmencoded,Encrypts",
                          "sslencode"=>"Strips,MIME=application/vnd.fmencoded,Encrypts",
                          "csv"=>"Strips,MIME=text/csv",);
              /* Help: http://www.tectite.com/fmdoc/check_for_new_version.php */
  define("CHECK_FOR_NEW_VERSION",true);
  define("CHECK_DAYS",30);
              /* Help: http://www.tectite.com/fmdoc/scratch_pad.php */
  $SCRATCH_PAD = "";
              /* Help: http://www.tectite.com/fmdoc/cleanup_time.php */
  $CLEANUP_TIME = 60;     // cleanup time in minutes
              /* Help: http://www.tectite.com/fmdoc/cleanup_chance.php */
  $CLEANUP_CHANCE = 20;     // percentage probability that cleanup will be performed
              /* Help: http://www.tectite.com/fmdoc/pear_settings.php */
  $PEAR_SMTP_HOST = "";
  $PEAR_SMTP_PORT = 25;
  $PEAR_SMTP_USER = "";
  $PEAR_SMTP_PWD = "";
              /* Help: http://www.tectite.com/fmdoc/alert_on_user_error.php */
  define("ALERT_ON_USER_ERROR",true);
              /* Help: http://www.tectite.com/fmdoc/enable_attack_detection.php */
  define("ENABLE_ATTACK_DETECTION",true);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_url.php */
  define("ATTACK_DETECTION_URL","");
              /* Help: http://www.tectite.com/fmdoc/alert_on_attack_detection.php */
  define("ALERT_ON_ATTACK_DETECTION",false);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_mime.php */
  define("ATTACK_DETECTION_MIME",true);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_dups.php */
  $ATTACK_DETECTION_DUPS = array("realname","address1","address2","country","zip",
                                  "phone","postcode","state","email");
              /* Help: http://www.tectite.com/fmdoc/attack_detection_specials.php */
  define("ATTACK_DETECTION_SPECIALS",true);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_specials.php */
  $ATTACK_DETECTION_SPECIALS_ONLY_EMAIL = array("derive_fields","required",
                      "mail_options","good_url","bad_url","good_template",
                      "bad_template");
              /* Help: http://www.tectite.com/fmdoc/attack_detection_specials.php */
  $ATTACK_DETECTION_SPECIALS_ANY_EMAIL = array("subject");
              /* Help: http://www.tectite.com/fmdoc/attack_detection_many_urls.php */
  define("ATTACK_DETECTION_MANY_URLS",0);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_many_url_fields.php */
  define("ATTACK_DETECTION_MANY_URL_FIELDS",0);
              /* Help: http://www.tectite.com/fmdoc/attack_detection_url_patterns.php */
  $ATTACK_DETECTION_URL_PATTERNS = array(
              '(^|[^-a-z_.0-9]+)(?<!@)([-a-z0-9]+\.)+(com|org|net|biz|info|name|pro|tel|asia|cat)\b',
              '(^|[^-a-z_.0-9]+)(?<!@)([-a-z0-9]+\.)+(com{0,1}|org|net)\.[a-z][a-z]\b');
              /* Help: http://www.tectite.com/fmdoc/attack_detection_ignore_errors.php */
  define("ATTACK_DETECTION_IGNORE_ERRORS",false);
              /* Help: http://www.tectite.com/fmdoc/geoip_lic.php */
  $GEOIP_LIC = "";        // default - no GeoIP
              /* Help: http://www.tectite.com/fmdoc/zero_is_empty.php */
  define("ZERO_IS_EMPTY",false);
              /* Help: http://www.tectite.com/fmdoc/session_name.php */
  $SESSION_NAME = "";
              /* Help: http://www.tectite.com/fmdoc/hook_dir.php */
  $HOOK_DIR = "";
  /* UPGRADE CONTROL
  ** FILTERS:lt:8.04:merge:The FILTERS configuration has
  ** been modified to include some new standard filters.:
  ** FILTER_ATTRIBS:lt:8.04:no_keep:The FILTER_ATTRIBS configuration has
  ** been modified to include new information about the standard filters.:
  ** ATTACK_DETECTION_URL_PATTERNS:eq:8.02:no_keep:The ATTACK_DETECTION_URL_PATTERNS
  ** configuration has been modified to fix a bug.:
  ** FILTER_ATTRIBS:lt:4.00:no_keep:The FILTER_ATTRIBS configuration has
  ** been modified to include new information about the standard filters.:
  ** SET_REAL_DOCUMENT_ROOT:gt:4.07:copy_from=REAL_DOCUMENT_ROOT:The
  ** REAL_DOCUMENT_ROOT configuration has been renamed to SET_REAL_DOCUMENT_ROOT.:
  ** EMAIL_NAME:lt:6.01:no_keep:The EMAIL_NAME configuration has
  ** been modified to match hyphens ('-') in email addresses.:
  ** ZERO_IS_EMPTY:le:6.01:set_to=true:ZERO_IS_EMPTY has been
  ** set to a value that duplicates previous behaviour.:
  ** END OF CONTROL
  /* END OF CONFIGURATION (do not alter this line in any way!!!)               */
      // the following constants define all FormMail messages
  define('MSG_SCRIPT_VERSION',0);     // This script requires at least PHP version...
  define('MSG_END_VERS_CHK',1);       // If you're happy...
  define('MSG_VERS_CHK',2);           // A later version of FormMail is available...
  define('MSG_CHK_FILE_ERROR',3);     // Unable to create check file...
  define('MSG_UNK_VALUE_SPEC',4);     // derive_fields: unknown value specification...
  define('MSG_INV_VALUE_SPEC',5);     // derive_fields: invalid value specification...
  define('MSG_DERIVED_INVALID',6);    // Some derive_fields specifications...
  define('MSG_INT_FORM_ERROR',7);     // Internal form error...
  define('MSG_OPTIONS_INVALID',8);    // Some mail_options settings...
  define('MSG_PLSWAIT_REDIR',9);      // Please wait while you are redirected...
  define('MSG_IFNOT_REDIR',10);       // If you are not redirected...
  define('MSG_PEAR_OBJ',11);          // Failed to create PEAR Mail object...
  define('MSG_PEAR_ERROR',12);        // PEAR Mail error...
  define('MSG_NO_FOPT_ADDR',13);      // You have specified "SendMailFOption"...
  define('MSG_MORE_INFO',14);         // More information...
  define('MSG_INFO_STOPPED',15);      // Extra alert information suppressed...
  define('MSG_FM_ALERT',16);          // FormMail alert
  define('MSG_FM_ERROR',17);          // FormMail script error
  define('MSG_FM_ERROR_LINE',18);     // The following error occurred...
  define('MSG_USERDATA_STOPPED',19);  // User data suppressed...
  define('MSG_FILTERED',20);          // This alert has been filtered...
  define('MSG_TEMPLATES',21);         // You must set either TEMPLATEDIR or TEMPLATEURL...
  define('MSG_OPEN_TEMPLATE',22);     // Failed to open template...
  define('MSG_ERROR_PROC',23);        // An error occurred while processing...
  define('MSG_ALERT_DONE',24);        // Our staff have been alerted...
  define('MSG_PLS_CONTACT',25);       // Please contact us directly...
  define('MSG_APOLOGY',26);           // We apologize for any inconvenience...
  define('MSG_ABOUT_FORMMAIL',27);    // Your form submission was processed by...
  define('MSG_PREG_FAI

• CyberSource and Cartweaver

  I need help getting a CF version of the Cartweaver shopping
  cart to interact with the "Hosted Order Page" implementation of the
  CyberSource credit card processing system. CyberSource doesn't
  support ColdFusion, so I need to figure out how to use the
  CyberSource-supplied PHP "security script" to send form data from a
  CF page to the CyberSource server.
  Here's the sample page, for what the shopping cart would look
  like in PHP. As you can see, it appears staightforward, though I'm
  just not sure how this can be done if my cart is in CF:
  <?php include("HOP.php") ?>
  <html><body>
  <h1>sample_product_name</h1>
  <p>Here, you enter the description of your
  product.</p>
  <form
  action="https://orderpagetest.ic3.com/hop/orderform.jsp"
  method="post">
  <?php InsertSignature3("10.00", “usd”,
  “sale”) ?>
  <input type="hidden" name="orderPage_transactionType"
  value="sale">
  <input type="hidden" name="billTo_firstName"
  value="John">
  <input type="hidden" name="billTo_lastName"
  value="Doe">
  <input type="hidden" name="billTo_email"
  value="[email protected]">
  <input type="hidden" name="merchantDefinedData1"
  value="ship">
  <input type="submit" name="submit" value="Buy Now">
  </form>
  </body></html>

  Most of it can be used as-is. I'm fairly certain the first
  php tag can be removed but I'm not sure what this line does:
  <?php InsertSignature3("10.00", “usd”,
  “sale”) ?>
  Maybe see if they have an ASP example...