Hi all,
I’m new to PHP, I got a problem with my php.ini file. My web hosting does not create one, I have to create it myself, but have no idea how. Any ideas how is it done? What setting in that file mean what? Any links to more info would appreciated.
Thanks a lot.
You say you have a problem with your php.ini file and then you say you dont have one, which one is it?
Are you on a shared or dedicated hosting package? Are you trying to overrite php server values?
There was no php.ini on a server. I found one on the net, but not sure if it worked on my shared web hosting. It’s this one: http://www.reallylinux.com/docs/php.ini
I know I can change email values, but does it have anything to do with MySql database?
If you have shared hosting then there is one, in order for PHP to run, it requires one, but it wont be in your local path, so you can either create a small one with just the values you need or create a .htaccess and do it in there.
…and dont put that file above in your root…
It is seen by most as being a critical, but time-consuming, task as a learner to read and study all those comments inside your php ini file when starting out.
You do not need to fully understand what all of it means when starting out, but you must appreciate the impact it has on PHP applications which start running on those directives.
It tells PHP which key components to load up when the server is started/restarted, for example (you asked about databases).
Now, many of those directives can be adjusted at the page level or at the directory level - with apache .htaccess files and so on.
The danger is that your provider will have by necessity screwed down tightly (you hope!) many of the security features for very good reasons, and will not look kindly to you overriding them.
So know what you are doing.
That said, there must be a specific reason you want to add a php.ini file? If you told us that we might be able to show you another way to alter the directive you think needs adding/adjusting.
http://www.php.net/manual/en/ini.list.php - see especially the column marked changeable
I’ve got .htaccess file in my root folder, but there’s nothing in there, it’s blank. I guess I should write something in there, but not sure what.
It say here (http://help.justhost.com/questions/76/How+do+I+setup+custom+php.ini+settings%3F), that I have to create php.ini file, it’s not included in current phpSuExec installation.
What are you trying to achieve? Maybe knowing that will help us tell you what to type in there?!
I know the basic of php.ini, but I don’t know how do I change values and I don’t know if it depends on what hosting is it. I’ve got cPanel, maybe some other panels need some different values in php.ini- have no idea.
What I want to do is- to have a contact form on my site and when user fills it out and sends- I receive an email. Sounds simple, but it’s not 
Thanks for link, I will check it out gradually, it takes some time to digest all that 
What I want to do is- to have a contact form on my site and when user fills it out and sends- I receive an email. Sounds simple, but it’s not
Did you try the mail() function, hardcode your own email address in the $to argument, no need to always have your email address in the ini file.
So you want to make sure sendmail is emailed or are you using PHPMailer class or something else?
Thanks Cups- another good link 
No, I haven’t tried mail() function, nor PHPMailer- I don’t know what that is…
I had XHTML, CSS and JS in the uni, but PHP is quite difficult to me.
Any good tutorial how do I create that a contact from in sort of step-by-step way?
Sounds like you dont need php.ini at all! All you need is to learn how to add variables into mail() (php.net/mail)
Good news I’m off now, will try mail() later, will let you know of outcome.
Thanks a lot!
I managed to finish my form with mail() and it works! Now I have to do a form validation. If I did validation with JS or jQuery, how would PHP know that it passed that validation?
There are 2 types of valiation, Client-side and Server-side validation, jquery, and javascript etc, is running client-side - That means, the validation happens on the client’s computer, if the user ‘fails’ the validation, jquery/javascript will take care of that… 1 problem can be, if the user disable javascript in their browser - Then it will just get passed anyway, because the validation can’t run.
So you need to make server-side validation too, using regex and so… I’m not very good at it myself, but etc, to check if an field is empty or not you can do:
if(isset($_POST['submit'])) {
if(!empty($_POST['field'] || !empty($_POST['anotherfield'])) {
mail();
} else {
echo "You need to fill out the form";
}
}
Good reply from zerpas which clears up the part that js plays in security - that is - none at all.
Whatever comes from the internet must be treated as highly suspicious as it could contain code which could damage your system, or cause damage to (in this case) whoever opens your emails. Not what you want.
The basic premise is this: Filter Input, Escape Output (FIEO) with that you can do more searching and familiarise yourself with these two principles.
eg
you have a box for a phone number call it $tel, so if $tel contains anything other than digits, spaces and say a dash - then you either:
a) abort or b) tell the user they got it wrong, try again.
You could say that b) can be done in JS - the user cannot submit the form unless the pattern they enter matches - and that would be a good example of PHP working in tandem with JS.
So if you take the trouble to explain to your users that $tel should only be digits, spaces and a dash - and you enforce that in JS and something other than that arrives - you have to make a decision, do you try and clean the data up and carry on, or just quit.
I invariably just do a) and quit.
So that is an example of Filtering Input against expectations.
If you are storing data from the internet into your database you have to Escape it in order to protect your database from sql injection (see Little Bobby Tables to see a humorous take what that could mean).
If you are sending an email you need to likewise escape the data to make sure you did not miss something in your Filtering in order to protect the user from XSS attacks.
So you Escape the data in order to protect the next environment that data is headed for…
One way to think about this is that PHP is the man in the middle.
In the left hand arrives data, is it what I expected? If yes, pass it to the right hand and decide what, if anything will I do with that data? Escape it to protect that next environment.
PHP has pretty much all of the functions you need to handle this work.
http://php.net/manual/en/book.filter.php
is a good place to start, though there are many other tricks you can employ.
[fphp]htmlentities[/fphp]
[fphp]htmlspecialchars[/fphp]
et al
[fphp]mysql_real_escape_string[/fphp]
Although for databases most common wisdom since the advent of PHP5 has been to favour using prepared statements with mysqli or PDO.
Thanks for code
One question though…
If I validate my form with JS (for example), fields are not filled correctly- the JS would display an error message, so the PHP. Would I get two error messages- one from JS and another from PHP?
I don’t use MySql yet for forms, but surely will some day, it’s a very good info you posted, thanks Cups.
Maybe the best practise for now would be to use JS with regular expression to validate form, once the fields are filled correctly- use PHP just to check if the fields are not left blank.
Another thing I just got in my mind… When user clicks on ‘Submit’ button- JS runs first and then PHP. Or do they run at the same time? Sorry, I have to get a logic of this process into my head first.
And thanks for links!
For a normal user the JS code would ideally stop the form from being submitted - so PHP should never see $tel with a bracket (<) or a letter in it.
If PHP DOES detect something other than digit, space, dash - it means either:
a) Someone with JS turned off made an error (despite your clear warnings on the GUI?)
b) Someone intentionally turned JS off and submitted some data to probe you
c) A bot hit your page and filled in the form automatically with something nasty like spam or worse
In any of those cases, they did not see the JS warning.
To fully understand it, you need to make a simple form with one text element, on the JS side you build that so the form cannot submit if the text area is empty.
The only way to post back the form (as a normal browser-based user) with the text box empty - is to turn JS off.
The edge case we all have to deal with is this one, what if the user is visually disabled, is browsing with JS turned off … are your warnings on the GUI (“Please only enter numbers and a space”) sufficient **? Or do you really have to feed back bold red text saying “numbers only please”?
The answer is “it depends”, some criteria are:
How much you value the user
The amount of time the user is likely to have invested in your form
whether they have an account and are logged in
** Then your client thinks that text looks ugly and says “can we just do away with it?”. Harrumphhhh…