Joomla! Discussion Forums

I am trying to use the instructions here:  http://forum.joomla.org/index.php/topic ... html  as well as here:  http://tips-scripts.com/?tip=php_ini#tip  to create a custom php.ini file and then copy it to each subdirectory.  I haven't got to the copy part yet.  I keep getting these warnings when i try to run the createini.php script:

Warning: fopen(PATH TO CUSTOM LOCATION FOR MY PHP.INI): failed to open stream: Permission denied in PATH TO MY CREATEINI.PHP FILE on line 22

Warning: fwrite(): supplied argument is not a valid stream resource in PATH TO MY CREATEINI.PHP FILE on line 23
Processing error - php.ini write failed
Any ideas how to fix this.

What I am really trying to do is fix the backend Warning message I am getting (after patching to 1.0.11):

PHP register_globals setting is `ON` instead of `OFF`
Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php

If the goal is to turn off RG emulation (thereby clearing the backend message and providing more robust security for your site), you can simply edit global.php and change the RG emulation value..

http://forum.joomla.org/index.php/topic,93640.0.html
(see RG Emulation section -- which is different from php's own register_globals variable).

However, this does not address the larger question of whether or not php's register_global flag is on or off on your site. You can review Joomla's php info (backend... System - > System Info - > PHP Info) and check the variables value.

Emulation is left on by default in order to prevent unexpected failures in poorly written 3rd party modules. However, the recommended best practice is to turn both php's register_globals variable AND Joomla's RG emulation off, thereby eliminating any register_globals-based exploits

If register_globals is off, turning off Joomla's RG emulation will harden your site against some forms of exploits. However, turning off RG emulation won't help if register_globals is on. To change register_globals, your best bet would be to add a php directive in your .htaccess file. (See the link above for information on that as well).  Trying to create individual php.ini is, IMHO, more of a last-resort option, as it's very sensitive to how the host has deployed php and can lead to confusion in terms of managing default values.

Ok, I turned RG_Emulation off in globals.php and turned register_globals off in .htaccess.

But what about the other settings recommended here:

Those can be set through .htaccess as well.

OK, great.

Do I just list them in the .htaccess file like they are listed here. (Of course, with the exception of the Emulation part)?

I can't set safe_mode on the .htaccess file...