Custom php.ini

[Mr.OppressoLiber]

I am going to test a script that requires that register globals be off and that the memory limit be set at least 16M. Well my host has register globals on by default and memory limit of 40M (not a problem with the memory).

So i created a custom php.ini and placed it in the root directory of the script to turn of the globals.

My question would be, is there any security risk in having a custom php.ini with only 1 line "register_global = off" in a root directory accessible to the public?

 

[iJeff]

I vote for A.

Personally, I would go for option B. Here's why:
- Using .htaccess to set a php flag seems nonsensical to me because you're telling apache to set a php configuration variable instead of telling php to set it itself. There are situations where you would not be able to use ini_set directly, but those are exceptional.

- Depending on server configuration, you may not even be able to use .htaccess in certain folders or at all. Furthermore, you may not be able to use certain Apache directives such as php_flag.

- You require anyone maintaining this web application (whether it's the OP or if it changes hands) to now have knowledge of Apache, Apache directives, and the current Apache server configuration, instead of sticking in the realm of PHP.

- ini_set will not have to be set more than once for all pertinent files to a web application if it is placed in a globally included configuration file. I would go on to say that copying and pasting nearly any chunk of code multiple times to multiple files is a sign of code that can be improved.