Joomla! Discussion Forums

Still hoping someone will at least let me know if this is possible.
W

Did you upload your .htaccess file to the server in binary or ASCII format?  It has to be ASCII.

Also make sure you have only the code I mentioned in the file, and have spaces in the right place.

Thankyou for adding that! I am using 1 and 1 and nothing else was working!

I have added your code and it's working perfectly

if anyone is having problems copying php.ini to subdirectories you can try this method if you have shell access..

find * -type d|xargs -i cp --verbose php.ini {}/.

cheers

Well, I have to say that my host (hostgator) has more than made up for their prior failings. It certainly pays to be a well informed customer though. It also pays to be persistant! Rather than relying on changing shifts of tech support to see the whole pictures by reviewing all the emails, I replied with an email that laid out the whole problem, what I had tried and what had failed in detail.

It seems that they bumped it up to a higher level of support personel. He looked at the scripts to copy the php.ini and copy them to the subdirectories. He found the problem ( I was close--just frustrated), modified them to work, ran the first to copy and modify the the php.ini to my public_html folder, then ran the second script to copy to all the sub-directories for me. He left the customized scripts in my site so that I could run them whenever I like and even gave suggestions for setting up a cron job.

All is good! And thanks to all here!

Steve

How do you disable this in php.ini file ??

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

I checked my php configuration and this is what I have :

disable_classes no value no value
disable_functions no value no value

Thanks

Assuming you're the owner, only the owner needs write permission.

I tried to do this, but every time I had an error, so I decided to contact my host and ask them to switch the global_register off, however they told the reason they have it on is because the spam by php hackers.

By implementing this upgrade would I be expose to hackers?


Thanks

Arty

thank you soo much for the 1and1 fix it worked like a charm. all I did was place AddType x-mapp-php5 .php in the .htaccess file and boom it worked :-)

Yes... I'm also on Schlund (1&1) and they dont want to change the settings... I solve the problem with a tool found on the joomla.de forum. Verry easy to use.

My post is here:
http://forum.joomla.org/index.php/topic,91837.msg465727.html#msg465727

Regards

Bergmannn,

Here is what I have found out after searching through allot of forums and i hope this helps you and anyone else using 1and1.com

By default 1and1.com uses php 4.44 for backwards compatability. While this does allow many of their clients to continue using older php scripts it also leaves allot of security holes open that were fixed in php 5.

to solve this problem you can do 4 things, first copy a php.ini file into ever folder one at a time, second use a script to copy the php.ini file or create a link to that file like your script does. third you can change each and ever php file to use the .php5 extention.

the forth and best way  is to create a file at the root of your site called .htaccess. and put this one line in that file.



what this does is tells the apache server that 1and1 uses to the php 5 engine on all php files in the same directory and all sub directories that the .htaccess file resides in. This greatly inceases the security of your site because php 5 turns off the register globals option by default and fixes several other security holes that were in php 4.

for your convince I will also attach a htaccess file for you to download. just ftp the file to the root of your webspace and rename to .htaccess and your done.

@askjosh,

Please don't cross post.  It is against the forum rules.

re: http://forum.joomla.org/index.php/topic,91837.msg465778.html#msg465778

Hi,

after reading this thread, I'd like to summarize a few things and put some things straight, as I found a bunch of glitches in previous posts.

In no particular order and certainly incomplete ...

get_user_name() -- using this function to "construct" a path is rather pointless and unreliably since there's barely any connection between the user name reported to PHP and the physical/logical "path name" or structure leading to home directories, document roots or such. Mass hosters (need to) use other techniques to manage the mapping of path names and accounts, contract ids, grants, or other services.

phpinfo() -- tells you exactly where the active copy of php.ini for the active PHP version (4 or 5) resides, in case you wanna take it as the source for copies. It also tells you whether it's running as a "module" or "CGI".

speading php.ini files -- pointless in the hope to change "run time values" if PHP runs as Apache module (mod_php), 'cos the module reads this file once only, when the server is started (by the ISP). PHP-CGI -- if configured to do so -- primarily looks for this file in the directory of the "main script" aka $PHP_SELF and if none is found test for another 10 well-defined locations. Read http://php.net/manual/configuration.php to learn the rules of where, when and in what order some "php.ini" will be sought and loaded, the possible file names, dependencies on whether its CGI/CLI/module incl. differences of the operating systems.
For Joomla the "main script" is either of the index*.php files of the site, the admin and the installer. There's no need to copy php.ini files into any other directory, if there's no "main script" to call. If one calls /foobar/blabla.php, PHP will look for /foobar/php.ini only, not for /php.ini nor /include/php.ini -- Note: Some J!-Editors or Components use popup-windows using a different "main script" (check their URL!). When ever that happens, you may also place a copy of your custom php.ini into that very directory, e.g. JCE/MosCE's Image Editor

php-XXX.ini -- PHP may not use an existing "php.ini" even if it's configured to do so, but looks for a very specific file where the basename is suffixed by its internal "server api name": "cgi", "fast-cgi", "fcgi" or "apache2handler", hence you may have more luck by naming the file php-cgi.ini rather than just "php.ini". See the result of php_sapi_name() to find this name.

AddType xxxxx .php -- while many ISPs meanwhile allow you to toggle .php from PHP4 to PHP5 on a directory basis, the type name typically differs and there's no general rule. You MUST ASK your provider what name they have used. "x-mapp-php5" is true for the german providers 1und1 and Schlund & Partner (same firm, diff. brands). I run client sites on various hosters and EACH has choosen a different type name. On my local box I used php5_script, as suggested in the manual. (AFAIK, the type name is fixed to "php5_script" if -- and only if -- PHP5 runs as an Apache module (mod_php), however one may add more types for the same thing in Apache)

php_value xx yy -- only applies to PHP module. Period. Read Elpie's Guide to .htaccess as a great companion to this subject.

.htaccess & php*.ini -- are NOT interchangeable, as Beat already said. The former belongs to the web server only and allows to configure (parts) of the web server configuration and it's active modules. The latter only belong to PHP of any type, with each may favour a special named file as mentioned above.
The PHP-CGIs evaluate their .ini on each request, hence giving you the ability to change runtime values using separate .ini's in the main script's location, the module does so only if the server is started. To change module settings, you must use the php_value directive. If you happen to have access to Apache's httpd.conf do it there, otherwise use .htaccess and be aware of the possible impact (see Elpie's Guide.)

PHP4 or PHP5 -- by design you can't have both as a module on the same web server (instance) so you need to use their respective method to change run time settings: .htaccess for the module, php.ini for CGIs.
Unfortunately PHP5 isn't yet the default "php handler" for many mass/large hosters but often runs in parallel, in CGI mode configured to lauch for .php5 files. Maybe PHP4 runs in CGI mode as well.
Presuming there's no .htaccess to switch the handler type, have two files with inside and save one as "whatever.php" and the other as "whatever.php5". Check the header block to find out which PHP version and "Server API" applies: anything with "cgi" in that name means, well, CGI mode. The module usually has "apache" in the API name (i.e "apache2handler" on Apache 2.x) -- I have no clue what it's called for IIS or other web servers, sorry.

Finding path names.
ISPs may mount/link physical storage into a logical file structure, resulting in different path names apearing in PHP's scope. Handy looking values from i.e. $_SERVER['DOCUMENT_ROOT'], getcwd(), or dirname(__FILE__) must not contain/return the same paths because they origin from different sources (Apache, OS, PHP). While your php-script might be able to read from each of these paths, that doesn't imply it can also be used to write/copy files into it.
To make things even more fun: via FTP you may encounter even another path to your "web space". The larger your provider the better the chances none of them match "visually".
e.g. physical paths as seen/known by the OS:
  /drive1/clients/cheap/contract_id1/web
  /drive2/clients/cheap/contract_id2/web
by the web server:
  /foo/bar/anybody/account0001/www/htdocs
  /foo/bar/anybody/account0002/www/htdocs
by PHP
  /account0001/www/htdocs
  /account0002/www/htdocs
free.fr for instance happens (or happend) to have such a funky "layout"

You're dealing with several levels:
- paths visible to applications
- logical paths
- their physical location
and you provider's idea of his very own "best practice" to handle all this with the lowest effort.

So instead of guessing and placing INIs all over the place or adding directives to .htaccess for no good: save yourself some time and nerves, and ask you provider first if the required "feature" (.htaccess, php.ini) is supported at all or search their support/faq pages. The provider may even change a setting for you if this has no impact for other client's setup. Mass hosters are unlikely to do that for you: they're that cheap 'cos they use a "one size fits all" approach.
If this is bugging you, have a drink less per month and save that money for a better provider and service.

Don't reply to my post telling me your provider does it this way or that way: I'm sure he does.
"Disclaimer": There are as many exceptions to the above as there are common, bad and best practices. The above statements are partly simplified a small resume of what I learned in the last couple of years, and I still get stunned now and then on how "creative" or dumb some ISPs [still] are.
Please let me know if any of the above is plain dead wrong or essentially different under a certain environments (i.e. suexec): I'm always open to learn something new :-)

Have fun,

CirTap

Ok, this is frustrating. 

All I've got left is this register_globals thing

I talked with my host and they said just add "php_flag register_globals off" to the .htaccess  as several other posters have mentioned.  So I did that and yes I saved it as ascii.  I got a 500 error and lost all access to the website.  Take it out, everything was fine.  Put it back in same error. 

Ok, so I try the php.ini approach.  After mucking with the originals to no succes I find the modified copy program and it seems to work like a charm putting it everywhere.  I look at the php.ini file and see that
line  38 says "register_globals = On"
then at the end on lines 208-211
208 ; USER MODIFIED PARAMETERS FOLLOW
209 
210 register_globals = Off
211 session.use_trans_sid = 0 212

Now, no matter how I change this file (modifying line 38, deleting line 208-211, leaving as is) nothing seems to change the setting.

From what I read in the last comment by CirTap it seems that the only way to effect a change is to do it through the .htaccess or through the master php.ini    Well, I can't get my hoster to change the master php.ini and the .htacess  All in all this is a very good hoster, fast, effective, knowledgeable and cooperative.   

I still have the red bar of dange as I am now starting to call in in my Joomla admin screens.    Any suggestions what my next step should be?

As I said above, this gives me a 500 error on 1&1 server when added to .htaccess.  Several of you seem to have gotten it work. Any suggestions? Any clues? Any way to get more specific info why?



By the way 1&1 technical support seems wholely worthless on this point all they did was email a link to the php faq which I had already read. Giving up drinking to save for a more personal hosting option. :> Hold it I didn't drink in the first place. Only this upgrade has driven me to consider it.

Thanks
W

Hi,

if your provider runs Apache 2 this should be a number
  php_flag register_globals 0
(no sure, but AFAIK using numbers instead of strings (yes/on, no/off) works with either version, give it a try)

It's always a matter of your very specific and usually UNIQUE server environment I know of ISPs that do have PHP module on some server and CGIs on others, and a mix of PHP versions, too, depending on their update/upgrade policy/ability.
What you may do with PHP4 must not work for PHP5. S+P the "business brand" of 1und1, allows the "php.ini" trick for PHP4-CGIs but not with PHP5!
Also don't trust any handy looking "PHP Info page" available in your web-space control panel, it may run on a totally different (mirror) server, "accidently" use a different .ini file and bingo: different config! (I ran into that once; provider: Artifiles)

To find the real configuration of PHP for "your web site" always use your very own copy of a phpinfo-file and check live at the location your php apps are running. Securitywise: just in case... don't use a name such as "phpinfo.php" but a more fancy one, put it into an equally unusually named subfolder and not your document/joomla root, and once done with it, drop that stuff as it may reveal sensitive information.

To easy debugging, temporarily rename any php.ini or .htaccess in the path to the following test scripts incl. parent directories you have access to.
- If J! runs in the webroot, disable SEF prior renaming the htaccess file, or even take it offline (if you dare ).
- If J! runs in a subfolder ( http://www.foobar.com/joomla/ ) do your tests in an adjacent folder, you may then leave J! as is.
You may equally use a "clean" subdomain running on the same server (recommended) to sniff out all the settings.

- create a new folder for this TEST, use whatever name you want
- again: make sure there's no php.ini or .htaccess in that path that may affect the results, esp. any of the "AddType" stuff
- use the attached file and upload as whatever.php and whatever.php5 to that folder
- locate each file in your browser and have a look
- What's the result of "SAPI name" ?
- What are the values of "PHP Version" and "Configuration File" in the table below?
- Proceed to the "Configuration PHP Core" section, search for the "register_globals" entry: we want local (left column) to be "off".

The value of "Server API" in from phpinfo() can be more human friendly, hence the call of php_sapi_name() at the beginning and the function test.
Make a note of these values

I can't recall the "SAPI name" on Apache 1.3x, since I have no access to such an environment anymore. In module-mode there'll be an additional phpinfo() section called "Apache Environment", the entry SERVER_SOFTWARE should give the same result as apache_get_version() - Apache version and built. This whole section is missing in CGI mode!

If PHP runs as Apache module .htacces should do the job
- now create a simple .htaccess with only one directive:
      php_flag register_globals 1
- upload into the same dir as your phpinfo-files
- launch/reload each script (*.php, *.php5)
If you get a 500, despite PHP reports to be a module, the "php_value" command/directive appears to be either unknown to Apache or its usage is prohibited (that'd be weired though).
In case you have access to the error log, have a look inside. The last few lines should tell you what's fishy. Drop/rename that interim .htaccess to regain access. Some mass hosters disable error logs, so you may be out of luck here.

Accept the current situation. If your provider told you to use "php_value" tell him that appears to be no-go, and provide the error messages from the error log if possible. Be specific about your tests, tell him where he can find your files to take a look.
Ask him if this or that is possible on that web-space, php version, etc. Remember that ISPs may have different setups on different servers. Ask if you may move to another (newer) server that offers this ability. Stay polite and patient

If PHP "SAPI name" tells anything like CGI, create ONE php.ini and add

  [php]
  register_globals = off

NO QUOTES!
- Upload the file into the directory of your phpinfo-file and reload
- Did PHP read that file? The path in "Configuration File" should have changed.
- Did the (local) register_globals value change, too?
If nothing "happend" rename the ini file adding the value of "SAPI name" as mentioned earlier, i.e. "php-cgi.ini" and try again.

Check with BOTH phpinfo-files xx.php and yy.php5 -- there might be different results.
The PHP manual mentions that PHP5 will also look for "php5.ini" rather than "php.ini" -- try this name and the various SAPI name combination.

Should none of this work, you might be out of luck with that ISP. Rethink the money-saving option

Have fun & good luck,

CirTap

(edit: fixed typos)

.. not only "on this point". the are somewhat cheap but (tech) support suxx in general (web, DSL, you name it) They just keep you hanging in the phone line letting you pay a lot to get nothing. The technology itself isn't bad though, but consider the money you [already] spent on their "service numbers", you could have a better hoster AND a few drinks for that
I'm using 1&1 DSL and I'm fine with this, and we have one root-server that happens to work (our way), but the "low-budget" stuff they offer doesn't pay off on the long run.
if you happen to call them more than once, move to their business brand S+P (Schlund).They cost more than 1&1 but provide excellent support, pretty skilled, and offer a toll-free number (0800 xx). If they can't solve it with you on the phone they either pass you over to someone who does know or get back to you and offer a solution.
Check user recommendation in the (german) forums to have less hassle with your websites, join with a bunch of friends/colleagues and get a "root server" and share the costs. almost any provider will do fine in this "class".

Have fun,
CirTap

Guys
Thanks for all the input. This upgrade has been at best difficult. Last night I finally determined I was changing to php5. I renamed my exsisting joomla directory and started with a clean install of 1.0.11. I created .htaccess with one line AddType x-mapp-php5 .php. Checked phpinfo and I was off and running PHP 5.1.6 (defaults to globals off).

The clean install of joomla ran fine. I began adding back components and moving graphics.

I deleted VOTD which was causing the 500 error under php5

I loaded ijoomla's magazine 2.0 beta - very nice if a little over copyprotected. Gradually I added back the stuff that worked and ditched the rest.

I now need to add the bad spider and hot link code back to htaccess.

Progress by baby steps with several falls
W

I wouldn't discount what you're doing.  It's great progress!

You're configuring and upgrading a complex, highly interactive, multi-layered, multi-protocol, database-driven, client-server, user authenticated, world-accessible application that enables almost anyone to click on virtual buttons and get what they are looking for.

There ain't no such thing as baby steps here, only carefully thought through steps. You can even remember and document what you did! That's light years ahead of the crowd!

To clarify... if I use the php.ini in the root directory, I'll still need to put it into each individual directory (subdirectory)? Joomla has dozens of directories! 

ok guys- I am COMPLETELY lost on all this, and I'm posting for all the newbies who are in the same boat.  My host told me the only way to turn register_globals off is to do the php.ini file in the ROOT directory- they didn't mention all the subdirectories.

Can someone write a php.ini for Dummies post here and give us a step by step how-to?  ie- 1) FTP into your site  2) upload this file... etc etc

I think that would be EXTREMELY helpful!  Im seeing weird scripts, copy, delete, CGI-bins, etc directories. I'm just lost.  As important as this topic is, I think it should be a step by step how-to and put into FAQs or made sticky.  ANyone up for the challenge?  All us newbies would CERTAINLY appreciate it!!!
Thanks

writing one right now
will edit this topic after I finish

edit: done
http://forum.joomla.org/index.php/topic,93191
Hopefully its more clear but at least it combines the key points in this topic.

Hi, for the "register globals = off"..... is there something I can do if my hosting service doesn't allow local php.ini and it has register globals to on?
Here are the other changes I made:

•   .htaccess with php_flag register_globals off --> gives me a 500 page error
• set define( 'RG_EMULATION', 0 ); on the globals.php

Is there any other option??
Thanks!

If you can't edit/create a custom php.ini file and turning register_globals off in .htaccess gives you an error, you might want to switch hosts....

Hello, I tried to add :

allow_url_fopen = OFF;
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open;

but the error log said : Parse error:  syntax error, unexpected '=' in $HOME/php.ini on line 28


where line 28 is the code of allow_url_fopen. Why the = is unexpected, did I put the syntax the right way?

Igeoffi-
Hey bud- this is awesome. However, my host says that I can place a php.ini file in my root directory and it will override (so they say).  However- I don't know what to put in a php.ini file!  Can you possibly post the entire file for me so I can just copy, paste in a new file, and FTP it on up?
Thanks

It wouldn't be wise to just copy any php.ini file from one ISP to another. Each ISP and server has specific settings. Much better to read the documentation in these forums and at http://www.php.net,  and learn how to adjust php.ini files yourself. It's really not hard. Might take you 20 minutes to learn.

Also, take a good look at the directions that come with the B &T scripts. You'll find a very easy technique for copying your ISP's main php.ini file. It's very important that you start with that. it also serves as a handy model for how to add more settings as you advance.

And, of course, since you test such changes on your devleopment server, you can try different php.ini settings, observe the results, and learn from them.

If you don't have a development server AND don't understand php.ini settings AND would like to keep your public site working, don't mess with php.ini settings!

Please folks, this is ridiculous! It's fun to read all those magic "working" solutions and how often they fail
You're dealing with an extemly complex environment and almost each hoster is an expection.

Please read at least the page "Runtime Configuration" from the PHP manual and stop copying php.ini's all over the place:
http://php.net/manual/configuration.php This document lists 10 different locations where, when and in what order "php.ini" will be sought and loaded, the possible file names, dependancies on whether its CGI/CLI/module incl. differences of the operating systems.

Phrase your problem, request and questions clearly when you talk to your hoster and tell him what you PLAN TO DO and why!
Don't just ask "where to put the php.ini": the answer might be wrong for your host and Joomla setups but correct for others.
Tell him you're using Joomla (CMS) and whether it's installed in the web-root or in a subfolder. Tell him you want to secure your site a bit more by disabling register_globals. Ask for the Apache + PHP versions and its interface in use (cgi, module) for your web-space, and whether there are differences in how to change this or that and if it's possible/allowed to do at all.

Unless you're not fully aware of the exact server environment and versions any "best practice" may totally fail. Grasp the differences of the PHP CGI and module, what the "ROOT" of your server is, where PHP's working directory is etc. you're nothing but wasting your time trying to "fix" any of Apache's or PHP's configuration directives.
Search the PHP manual for the correct syntax of the settings, and check the available user comments. It's all explained! Some values MUST be numbers, some string, and some MUST be "quoted"...
http://php.net/manual/ini.php


I fully second that, rliskey, but I think no one will notice and follow your advice ...

Good luck,
CirTap

No, what's ridiculous is that Joomla is so insecure that it needs register globals off.

Pactum,

Joomla is not insecure.
Joomla does not require register_globals to be OFF...

There are some third party components (which are NOT under the control of anyone on the official joomla team) that have some vulnerabilities.

However, once again (and this apparently can not be said enough, since people keep thinking this is somehow joomla's fault)...
once again...  JOOMLA IS SECURE!