DISCUSSION: How to change register globals to OFF
- Websmurf
- Joomla! Hero
- Posts: 2230
- Joined: Fri Aug 19, 2005 2:23 pm
- Location: The Netherlands
- Contact:
DISCUSSION: How to change register globals to OFF
EDIT: This is the discussion topic for this FAQ.
Please keep in mind that not every hosting provider allows you to change this in a .htaccess file
Please keep in mind that not every hosting provider allows you to change this in a .htaccess file
Last edited by Geoff on Sun Oct 29, 2006 7:07 am, edited 1 time in total.
Adam van Dongen - Developer
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- newbiepp
- Joomla! Intern
- Posts: 55
- Joined: Sun Sep 18, 2005 8:36 am
FAQ: How to change register globals to OFF
Other solution if : using 'vhosts' option with Apache
This is a solution for those hosting their Site and using Apache/Php and package (EasyPhp, Wamp, etc.. )
With that, you specify php parameter only for one vhost, only for one site if separated vhost/site
It is possible to include php parameter inside Vhosts directives like :
php_admin_flag register_globals off
Example :
ServerName testappli.org
ServerAlias *.testappli
DocumentRoot /var/www/vhostest
Options FollowSymLinks MultiViews
AllowOverride All
Options +Indexes
php_admin_flag register_globals off
Order allow,deny
Allow from all
This is a solution for those hosting their Site and using Apache/Php and package (EasyPhp, Wamp, etc.. )
With that, you specify php parameter only for one vhost, only for one site if separated vhost/site
It is possible to include php parameter inside Vhosts directives like :
php_admin_flag register_globals off
Example :
ServerName testappli.org
ServerAlias *.testappli
DocumentRoot /var/www/vhostest
Options FollowSymLinks MultiViews
AllowOverride All
Options +Indexes
php_admin_flag register_globals off
Order allow,deny
Allow from all
Last edited by newbiepp on Mon Sep 19, 2005 8:24 am, edited 1 time in total.
-
- Joomla! Enthusiast
- Posts: 238
- Joined: Fri Aug 19, 2005 3:04 am
FAQ: How to change register globals to OFF
What does register globals do?
- MystaMax
- Joomla! Explorer
- Posts: 333
- Joined: Thu Aug 18, 2005 4:55 am
- Location: Atlanta, GA USA
- Contact:
FAQ: How to change register globals to OFF
here is an article that pretty much sums register globals. You gotta have a little understanding of PHP.
http://en.wikibooks.org/wiki/Programmin ... er_Globals
http://en.wikibooks.org/wiki/Programmin ... er_Globals
- guilliam
- Joomla! Virtuoso
- Posts: 4181
- Joined: Thu Aug 18, 2005 10:27 am
- Location: Sunny City Cebu, Philippines!
- Contact:
FAQ: How to change register globals to OFF
Code: Select all
##
# @version $Id: htaccess.txt 47 2005-09-15 02:55:27Z rhuk $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#
# mod_rewrite in use
#
RewriteEngine On
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update YourJoomlaDirectory (just / for root)
# RewriteBase /YourJoomlaDirectory
#
# Rules
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php
php_flag register_globals off
"I was one of those who wondered why people would pay so much $$$$ to do something that was so much fun!" -R. Harkrider, Fortran Code Engr.
http://www.joomlaconsultancy.net
http://www.joomlaconsultancy.net
-
- Joomla! Apprentice
- Posts: 33
- Joined: Tue Sep 27, 2005 1:31 am
- Location: Canada
FAQ: How to change register globals to OFF
My htaccess has an extra line on bottom which is the next line here.
I have added the register globals off but my information says that they are still on. Where may the problem lie
RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php
php_flag register_globals off
Lingo
I have added the register globals off but my information says that they are still on. Where may the problem lie
RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php
php_flag register_globals off
Lingo
- charlwillia6
- Joomla! Guru
- Posts: 687
- Joined: Tue Aug 23, 2005 9:45 am
- Location: La Grande, Oregon
- Contact:
FAQ: How to change register globals to OFF
Ok, so the registered globals should be off. But what happens if they are off and Joomla keeps saying they are on?
I verified they were off by using a phpinfo file, and the settings in Joomla and the phpinfo tab in Joomla still says they are on.
First, is this a Joomla bug? And does this matter?
I verified they were off by using a phpinfo file, and the settings in Joomla and the phpinfo tab in Joomla still says they are on.
First, is this a Joomla bug? And does this matter?
From the beginning...
- rsphaeroides
- Joomla! Ace
- Posts: 1369
- Joined: Sun Aug 21, 2005 2:57 pm
- Location: Colorado, USA
- Contact:
FAQ: How to change register globals to OFF
How do multiple .htaccess files interact? I have my site installed in a directory below root /travel/mamboinstallation, and there are .htaccess files in / and in /travel. I've added the "php_flag register_globals off" to /travel/.htaccess Is this sufficient and safe?
Thanks
Thanks
¡Pura Vida!
Ray,
joomla in testing at Costa Rica Travel: http://costaricamap.net
http://costa-rica-guide.com
Ray,
joomla in testing at Costa Rica Travel: http://costaricamap.net
http://costa-rica-guide.com
-
- Joomla! Apprentice
- Posts: 16
- Joined: Sun Sep 18, 2005 2:51 am
- Location: Norway
- puthupa
- Joomla! Apprentice
- Posts: 41
- Joined: Fri Aug 11, 2006 3:42 pm
- Location: ny, ny
FAQ: How to change register globals to OFF
thanks for the info. i've added the line to end of the .htaccess file, but the pre-install check still shows Register Globals as ON. is this normal? i'm going to go ahead with the install since i want to get started learning about Joomla, but how will this affect a live site? i read the wiki link and due to my lack of php knowledge, i didn't get very much out of it.
- fugazer
- Joomla! Enthusiast
- Posts: 209
- Joined: Sun Mar 12, 2006 5:34 am
FAQ: How to change register globals to OFF
having the same problem.. i changed register_globals = Off with my htaccess.txt
keep in mind I'm running JSAS, does this have anything do to with the warning I'm still receiving under version 1.0.11??
keep in mind I'm running JSAS, does this have anything do to with the warning I'm still receiving under version 1.0.11??
Yes! I always have coffee when I watch radar. You know that.
- mcsmom
- Joomla! Exemplar
- Posts: 7897
- Joined: Thu Aug 18, 2005 8:43 pm
- Location: New York
- Contact:
FAQ: How to change register globals to OFF
What is the exact warning message? Is it global registers or global registers emunlation.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
FAQ: How to change register globals to OFF
Can I just add, turning off register globals in this way is near useless... it only means YOUR site won't be the source of a server exploit, however you can/will still be exploited via another site on the server.
If a host does not set register globals to off by default they are showing they don't really care about security. Since php 4.2.x register globals is off by default.
If a host does not set register globals to off by default they are showing they don't really care about security. Since php 4.2.x register globals is off by default.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
-
- Joomla! Intern
- Posts: 63
- Joined: Thu Mar 30, 2006 4:17 pm
FAQ: How to change register globals to OFF
Just let me add the following:
Since about 2003, the Register_Globals problem is officially known by everybody who has some little skills in PHP.
I still wonder why there are providers offering shared servers with activated register_globals.
Even on my local machine for testing and development, I have turned off register_globals.
For God's sake, it can't be that difficult to turn that off! When leaving home, you also lock your door and do not put the key under your doormat or into the flower pot beside your door, don't you?
Harald
Since about 2003, the Register_Globals problem is officially known by everybody who has some little skills in PHP.
I still wonder why there are providers offering shared servers with activated register_globals.
Even on my local machine for testing and development, I have turned off register_globals.
For God's sake, it can't be that difficult to turn that off! When leaving home, you also lock your door and do not put the key under your doormat or into the flower pot beside your door, don't you?
Harald
-
- Joomla! Apprentice
- Posts: 31
- Joined: Sat Dec 23, 2006 12:03 am
Re: DISCUSSION: How to change register globals to OFF
Im a newbie and just a few days ago I set up my joomla site and registered a domain. Since I installed Joomla from the fantastico program from my webhost im wondering where exactly is this php global file? I have a site im almost done doing all the cosmetic work but I cant "officially" launch it till i solve this security issue. Please help
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Nov 07, 2006 12:43 am
Re: DISCUSSION: How to change register globals to OFF
I am in the grey are between "newbie" and "lurker", but here's my first post.
I've just gone through a strange experience with register globals and thought I might post here in case someone else encounters the same problem.
I created a Joomla installation at root of an add-on domain ("Site B"). I also had a pre-existing Joomla installation which I had manually upgraded* ("Site A"). Obviously these are for different websites.
I had long ago been successful in turning off register globals from Site A.
After installing Site B, I checked everything for the correct settings. To refresh ourselves, the key files are:
globals.php
php.ini
.htaccess
My new settings for Site B appeared to duplicate those of Site A, and I also checked the FAQ and this thread. Still, my Site B admin panel presented the red warning message (kudos to the person who scripted the security warning).
Finally, my host advised to copy php.ini from Joomla root /www/Site B/ into the /www/Site B/administrator/ folder. It worked.
Curiously, I do have a php.ini file sitting in /www/Site A/administrator/ which is an empty file.
Can anyone tell me why one installation needed it and the other didn't? Both are Joomla 1.0.12
Host Versions as follows:
Apache version 1.3.37 (Unix)
MySQL version 4.1.21-standard
PHP version 5.0.5
Thanks if you can explain this!
* I do not recommend using your host interface (cpanel/add-on scripts/fantastico etc.) to do the push button upgrade for Joomla. Joomla's instructions for upgrading manually are clear and the process is pretty quick once you get into it - it will ultimately save you time and headaches.
I've just gone through a strange experience with register globals and thought I might post here in case someone else encounters the same problem.
I created a Joomla installation at root of an add-on domain ("Site B"). I also had a pre-existing Joomla installation which I had manually upgraded* ("Site A"). Obviously these are for different websites.
I had long ago been successful in turning off register globals from Site A.
After installing Site B, I checked everything for the correct settings. To refresh ourselves, the key files are:
globals.php
php.ini
.htaccess
My new settings for Site B appeared to duplicate those of Site A, and I also checked the FAQ and this thread. Still, my Site B admin panel presented the red warning message (kudos to the person who scripted the security warning).
Finally, my host advised to copy php.ini from Joomla root /www/Site B/ into the /www/Site B/administrator/ folder. It worked.
Curiously, I do have a php.ini file sitting in /www/Site A/administrator/ which is an empty file.
Can anyone tell me why one installation needed it and the other didn't? Both are Joomla 1.0.12
Host Versions as follows:
Apache version 1.3.37 (Unix)
MySQL version 4.1.21-standard
PHP version 5.0.5
Thanks if you can explain this!
* I do not recommend using your host interface (cpanel/add-on scripts/fantastico etc.) to do the push button upgrade for Joomla. Joomla's instructions for upgrading manually are clear and the process is pretty quick once you get into it - it will ultimately save you time and headaches.
Last edited by sludge on Sun Mar 25, 2007 5:12 pm, edited 1 time in total.
- vallesano
- Joomla! Apprentice
- Posts: 5
- Joined: Sun Aug 06, 2006 5:57 pm
Re: DISCUSSION: How to change register globals to OFF
Thanks to sludge!
I was having trouble getting register globals turned off - as many posting on these pages have experienced. In fact, the solution provided in the thread pointed to by the error message itself, http://forum.joomla.org/index.php?topic=1030.msg92433, was causing the server to error out. So.. . after reading this thread, especially sludge's post, I tried copying my php.ini file into my joomla! admin directory. That still didn't work so, I followed a hunch, or you could call it a brute force (emphasis on the 'brute' part) or trial-and-error tehnique, I copied my php.ini file to my web documents root dir (in my case /public_html/) and voila! No more error message.
Some background...
I wonder if it takes a while for the change in php.ini to 'propagate' through the system (pardon my massive technical ignorance) or if the register globals = on condition is 'cached' somewhere (in my browser? seems doubtful), or some other similar phenomenon. I mention this because having successfully turned register globals off, when I began to write this post and wanted to quote the thread pointed to by the error message in the back end of Joomla!,http://forum.joomla.org/index.php?topic=1030.msg92433, even removing both the instances of php.ini (one in the Joomla! root and the other in the web docs root) I could not recreate the error!!!
Edited to add URL's
I was having trouble getting register globals turned off - as many posting on these pages have experienced. In fact, the solution provided in the thread pointed to by the error message itself, http://forum.joomla.org/index.php?topic=1030.msg92433, was causing the server to error out. So.. . after reading this thread, especially sludge's post, I tried copying my php.ini file into my joomla! admin directory. That still didn't work so, I followed a hunch, or you could call it a brute force (emphasis on the 'brute' part) or trial-and-error tehnique, I copied my php.ini file to my web documents root dir (in my case /public_html/) and voila! No more error message.
Some background...
- 1) I have several installations of Joomla! in subdirectories below /publichtml/, the install for which I was trying to turn off register globals was one of these.
- 2) After successfully turning off register globals upon installation of 1.0.12, the error message appeared again after upgrading to 1.0.13 by extracting the contents of the upgrade file in the Joomla! root dir. This behavior was exhibited by every 1.0.12 install upon upgrading to 1.0.13 by the same method.
I wonder if it takes a while for the change in php.ini to 'propagate' through the system (pardon my massive technical ignorance) or if the register globals = on condition is 'cached' somewhere (in my browser? seems doubtful), or some other similar phenomenon. I mention this because having successfully turned register globals off, when I began to write this post and wanted to quote the thread pointed to by the error message in the back end of Joomla!,http://forum.joomla.org/index.php?topic=1030.msg92433, even removing both the instances of php.ini (one in the Joomla! root and the other in the web docs root) I could not recreate the error!!!
Edited to add URL's
Last edited by vallesano on Sat Sep 15, 2007 3:49 pm, edited 1 time in total.
What you are now reading, I am now writing.
-Douglas Hofstadter
-Douglas Hofstadter