PHP: php_value vs php_admin_value and the use of php_flag explained

Mattias Geniar, Saturday, February 18, 2012

Back in 2009 there was a bug in the php_admin_value implementation before PHP 5.2.6. Since then, everything should run smoothly again. However, I find there's still a lot of confusion on when to use php_value, php_admin_valuephp_flag and php_admin_flag. So I'll see if we can clear some of that.


When using the php_flag directive in Apache configurations, it's used to set boolean values for options. So only true/false, On/Off, ...  kind of parameters. For example:

php_flag display_startup_errors off
php_flag display_errors off

Those are only On/Off values with which you enable or disable the setting. You can use the php_flag  option in Virtual Host configs, .htaccess files and the general Apache configuration. However, you can 't change every configuration value from PHP that way. You can only change the PHP_INI_ALL and PHP_INI_PERDIR options shown on the "List of php.ini directives" page.


This can only be used within the Apache configuration (general config or in a Virtual Host) and can not be used in a .htaccess. You can set any kind of php configuration setting that behaves as a boolean this way. For example:

php_admin_flag safe_mode off

By using the php_admin_flag you can not overwrite the setting from within your application using ini_set()! Whatever the value is there, it will remain so during the execution of your applications.


If php_flag is used for booleans, php_value is used for everything else. Any kind of configuration directive that takes parameters other than On/Off, you can use php_value for. For example:

php_value error_log  /some/dir/to/log/php_errors.log
php_value  upload_max_filesize  10M

Just the same as the php_flag, you can not overwrite all configurations this way. Since you can use php_value everywhere (.htaccess, apache configs & virtual host), it would be unsafe. You can only change the PHP_INI_ALL and PHP_INI_PERDIR options shown on the "List of php.ini directives" page.

If you want to clear a configuration value, use the "none" value.

php_value open_basedir none


This option can only be used in the Apache configuration, not in .htaccess files. It does allow you to overwrite any configuration value possible in PHP.

By using the php_admin_value, the value of that configuration directive cannot be overwritten in the application. That means if you were to set your include_path by using php_admin_value, the application (such as the Zend Framework bootstrap) would not be able to alter the content of that configuration directive via ini_set() or set_include_path().

Only use the php_admin_value if you explicitly want to forbid that configuration directive from being changed by your application.

Hi! My name is Mattias Geniar. 👋 I'm an independent software developer ⌨️ & Linux sysadmin 👨‍💻, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

🔥 If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. 🤗


Charlie Monday, February 20, 2017 at 04:58 - Reply

Moar! Brought here by cron weekly.. More php related articles like this one would be an awesome blessing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links