Oussama GHAIEB

Tips, tricks, and code snippets for developers

Useful PHP Configuration Tips (php.ini)

Tuning your php.ini settings is a simple but powerful way to improve your development experience, harden your production environment, and get the best out of your server resources.

Here are the most practical PHP configuration tips I use regularly β€” with clear explanations for why each setting matters.


1. πŸ” Display All Errors (for Development)

display_errors = On
display_startup_errors = On
error_reporting = E_ALL

Why?
These settings show all errors, warnings, and notices. They're essential when debugging during development so you can spot bugs early.

⚠️ Never enable in production β€” it exposes sensitive information.


2. πŸ“ Increase Upload Limits

upload_max_filesize = 50M
post_max_size = 100M

Why?
By default, PHP has low upload limits. If you're allowing users to upload files or dealing with CSV imports or image uploads, you need to raise these limits accordingly.

  • upload_max_filesize: Max size of an uploaded file.
  • post_max_size: Max size of the entire POST body (should be larger than upload_max_filesize).

3. πŸ•’ Increase Execution Time & Memory Limit

max_execution_time = 60
memory_limit = 512M

Why?
For operations like PDF generation, image processing, or large database imports, default limits can cause timeouts or memory errors. These settings give scripts more time and memory to complete.


4. πŸš€ Enable Realpath Cache (for Faster File Access)

realpath_cache_size = 4096k
realpath_cache_ttl = 600

Why?
PHP constantly resolves file paths during execution (especially in large frameworks). This cache speeds things up by storing resolved paths, reducing filesystem lookups.


5. πŸ”’ Disable Dangerous Functions (for Production)

disable_functions = exec,passthru,shell_exec,system,proc_open,popen

Why?
These functions allow PHP to run system-level commands. Disabling them in production minimizes the risk of command injection vulnerabilities.


6. πŸ•΅οΈβ€β™‚οΈ Hide PHP Version in HTTP Headers

expose_php = Off

Why?
Prevents PHP from sending X-Powered-By: PHP/x.x.x in HTTP headers. This reduces the attack surface by not revealing your server's PHP version.


7. 🌍 Set Your Timezone

date.timezone = "UTC"

Why?
If not set, PHP uses the server's system timezone or may throw warnings. Explicitly setting it ensures consistent behavior for date/time functions.


8. ⚑ Boost Performance with OPcache

opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2

Why?
OPcache stores precompiled script bytecode in memory, significantly improving performance. These settings help allocate enough memory and control how often PHP checks for script updates.

  • memory_consumption: More memory = more cached scripts.
  • max_accelerated_files: Higher number = more files can be cached.
  • revalidate_freq: How often OPcache checks for changes (in seconds).

9. πŸ›‘οΈ Secure PHP Sessions

session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1

Why?
Securing session cookies prevents common attacks:

  • cookie_httponly: Prevents JavaScript access to the cookie.
  • cookie_secure: Ensures the cookie is only sent over HTTPS.
  • use_strict_mode: Rejects uninitialized session IDs to prevent fixation attacks.

10. πŸ“ Log Errors without Displaying Them (for Production)

log_errors = On
error_log = /var/log/php_errors.log
display_errors = Off

Why?
In production, you should log errors but not display them to users. This protects sensitive details while still keeping error visibility for developers.


βœ… Final Tip

Don’t forget to restart your web server after changing your php.ini file:

sudo systemctl restart php8.2-fpm
# or for Apache users
sudo systemctl restart apache2

🧩 Bonus Tip

Use php --ini to find the loaded php.ini file:

php --ini

πŸ’¬ Got more tricks or want to share your favorite setup? Ping me on Twitter!

Tags: #php #security #configuration
Oussama GHAIEB - Laravel Certified Developer in Paris

Oussama GHAIEB

Laravel Certified Developer | Full-Stack Web Developer in Paris

14+ years experience β€’ 20+ projects
Read more about me β†’

Comments (0)

No comments yet. Be the first to comment!


Leave a Comment

More Posts :