问题
I have a sub-folder with two files. The first is email.php, with a form that user can send me an email. It also has a captcha-like script to prevent spam, and uses $_SESSION[foo] variables. The second is upload.php, which allows registered users to upload files. Both files worked fine. Now I need to increase the upload_max_filesize from the base 2MB for upload.php. My host does not provide access to main php.ini, but recommend that I create a custom php.ini file in this subfolder. So I created:
php.ini
upload_max_filesize = 10M ;
post_max_size = 10M ;
I now get the errors Warning: include() [function.include]: Filename cannot be empty and Warning: include() [function.include]: Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') when I submit the form/captcha on email.php.
$_SESSION[foo]=$_GET[bar];
else $_SESSION[foo]="foobar.php";
include($_SESSION['foo']);
I found that $_SESSION[foo] is empty even with the else. After some research I found that when I ran phpinfo() that session.save_path was no value (the original was /tmp). So now
php.ini
upload_max_filesize = 10M ;
post_max_size = 10M ;
session.save_path = /home/foobar/tmp ;
But I am still getting the error. If I remove the php.ini file from this folder, then the form script on email.php works just fine, but I am back to upload_max_filesize = 2MB for upload.php. Any help would be appreciated.
回答1:
This is an issue with CGI PHP setups where the server php.ini directives do not cascade into custom configurations.
I've written about this extensively here - http://blog.philipbrown.id.au/2009/08/php-suexec-and-custom-php-ini-files/
$_SESSION[foo]=$_GET[bar]; else $_SESSION[foo]="foobar.php"; include($_SESSION['foo']);
I'm a bit confused by this snippet. Not only is it invalid (no if statement, array indexes not quoted) but highly insecure.
来源:https://stackoverflow.com/questions/5561540/custom-php-ini-file-in-subfolder-causing-issues-with-sessions-variables