EDIT: This is the discussion topic for this FAQ.

Please keep in mind that not every hosting provider allows you to change this in a .htaccess file

Other solution if : using 'vhosts' option with Apache
This is a solution for those hosting their Site and using Apache/Php and package (EasyPhp, Wamp, etc.. )
With that, you specify php parameter only for one vhost, only for one site if separated vhost/site

It is possible to include php parameter inside Vhosts directives like :
  php_admin_flag register_globals off

Example :


ServerName testappli.org
ServerAlias *.testappli
DocumentRoot /var/www/vhostest

  Options FollowSymLinks MultiViews
  AllowOverride All
  Options +Indexes
  php_admin_flag register_globals off
 
    Order allow,deny
    Allow from all
 

What does register globals do? 

here is an article that pretty much sums register globals. You gotta have a little understanding of PHP. 

http://en.wikibooks.org/wiki/Programmin ... er_Globals

^^the joomla version.. 

My htaccess has an extra line on bottom which is the next line here.
I have added the register globals off but my information says that they are still on. Where may the problem lie

RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php


php_flag register_globals off


Lingo

Ok, so the registered globals should be off.  But what happens if they are off and Joomla keeps saying they are on? 

I verified they were off by using a phpinfo file, and the settings in Joomla and the phpinfo tab in Joomla still says they are on.

First, is this a Joomla bug?  And does this matter?

How do multiple .htaccess files interact?  I have my site installed in a directory below root /travel/mamboinstallation, and there are .htaccess files in / and in /travel.  I've added the "php_flag register_globals off" to /travel/.htaccess  Is this sufficient and safe?

Thanks

Thanks..

thanks for the info.  i've added the line to end of the .htaccess file, but the pre-install check still shows Register Globals as ON.  is this normal?  i'm going to go ahead with the install since i want to get started learning about Joomla, but how will this affect a live site?  i read the wiki link and due to my lack of php knowledge, i didn't get very much out of it.

having the same problem.. i changed register_globals = Off with my htaccess.txt


keep in mind I'm running JSAS, does this have anything do to with the warning I'm still receiving under version 1.0.11??

What is the exact warning message? Is it global registers or global registers emunlation.

Can I just add, turning off register globals in this way is near useless... it only means YOUR site won't be the source of a server exploit, however you can/will still be exploited via another site on the server.

If a host does not set register globals to off by default they are showing they don't really care about security. Since php 4.2.x register globals is off by default.

Just let me add the following:

Since about 2003, the Register_Globals problem is officially known by everybody who has some little skills in PHP.
I still wonder why there are providers offering shared servers with activated register_globals.

Even on my local machine for testing and development, I have turned off register_globals.

For God's sake, it can't be that difficult to turn that off! When leaving home, you also lock your door and do not put the key under your doormat or into the flower pot beside your door, don't you?

Harald

Im a newbie and just a few days ago I set up my joomla site and registered a domain.  Since I installed Joomla from the fantastico program from my webhost im wondering where exactly is this php global file? I have a site im almost done doing all the cosmetic work but I cant "officially" launch it till i solve this security issue.  Please help

I am in the grey are between "newbie" and "lurker", but here's my first post.

I've just gone through a strange experience with register globals and thought I might post here in case someone else encounters the same problem. 

I created a Joomla installation at root of an add-on domain ("Site B").  I also had a pre-existing Joomla installation which I had manually upgraded* ("Site A").  Obviously these are for different websites.

I had long ago been successful in turning off register globals from Site A.

After installing Site B, I checked everything for the correct settings.  To refresh ourselves, the key files are:
globals.php
php.ini
.htaccess

My new settings for Site B appeared to duplicate those of Site A, and I also checked the FAQ and this thread.  Still, my Site B admin panel presented the red warning message (kudos to the person who scripted the security warning). 

Finally, my host advised to copy php.ini from Joomla root /www/Site B/ into the /www/Site B/administrator/ folder.  It worked.

Curiously, I do have a php.ini file sitting in /www/Site A/administrator/ which is an empty file. 

Can anyone tell me why one installation needed it and the other didn't?  Both are Joomla 1.0.12

Host Versions as follows:
Apache version 1.3.37 (Unix)
MySQL version 4.1.21-standard
PHP version 5.0.5

Thanks if you can explain this!

* I do not recommend using your host interface (cpanel/add-on scripts/fantastico etc.) to do the push button upgrade for Joomla.  Joomla's instructions for upgrading manually are clear and the process is pretty quick once you get into it - it will ultimately save you time and headaches.

Thanks to sludge!
I was having trouble getting register globals turned off - as many posting on these pages have experienced.  In fact, the solution provided in the thread pointed to by the error message itself, http://forum.joomla.org/index.php?topic=1030.msg92433, was causing the server to error out.  So.. . after reading this thread, especially sludge's post, I tried copying my php.ini file into my joomla! admin directory.  That still didn't work so, I followed a hunch, or you could call it a brute force (emphasis on the 'brute' part) or trial-and-error tehnique, I copied my php.ini file to my web documents root dir (in my case /public_html/)  and voila!  No more error message.

Some background...

• 1) I have several installations of Joomla! in subdirectories below /publichtml/, the install for which I was trying to turn off register globals was one of these.
• 2) After successfully turning off register globals upon installation of 1.0.12, the error message appeared again after upgrading to 1.0.13 by extracting the contents of the upgrade file in the Joomla! root dir.  This behavior was exhibited by every 1.0.12 install upon upgrading to 1.0.13 by the same method.

Some brute force/trial-and-error speculation...
I wonder if it takes a while for the change in php.ini to 'propagate' through the system (pardon my massive technical ignorance) or if the register globals = on condition is 'cached' somewhere (in my browser? seems doubtful), or some other similar phenomenon.  I mention this because having successfully turned register globals off, when I began to write this post and wanted to quote the thread pointed to by the error message in the back end of Joomla!,http://forum.joomla.org/index.php?topic=1030.msg92433, even removing both the instances of php.ini (one in the Joomla! root and the other in the web docs root) I could not recreate the error!!!

Edited to add URL's