DISCUSSION: How to change register globals to OFF

Discuss the FAQ's here, and get in touch with the FAQ Team.
Locked
User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

DISCUSSION: How to change register globals to OFF

Post by Websmurf » Tue Aug 23, 2005 9:08 am

EDIT: This is the discussion topic for this FAQ.

Please keep in mind that not every hosting provider allows you to change this in a .htaccess file
Last edited by Geoff on Sun Oct 29, 2006 7:07 am, edited 1 time in total.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

User avatar
newbiepp
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Sun Sep 18, 2005 8:36 am

FAQ: How to change register globals to OFF

Post by newbiepp » Mon Sep 19, 2005 8:20 am

Other solution if : using 'vhosts' option with Apache
This is a solution for those hosting their Site and using Apache/Php and package (EasyPhp, Wamp, etc.. )
With that, you specify php parameter only for one vhost, only for one site if separated vhost/site

It is possible to include php parameter inside Vhosts directives like :
  php_admin_flag register_globals off

Example :


ServerName testappli.org
ServerAlias *.testappli
DocumentRoot /var/www/vhostest

  Options FollowSymLinks MultiViews
  AllowOverride All
  Options +Indexes
  php_admin_flag register_globals off
 
    Order allow,deny
    Allow from all
 

Last edited by newbiepp on Mon Sep 19, 2005 8:24 am, edited 1 time in total.

xec
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 238
Joined: Fri Aug 19, 2005 3:04 am

FAQ: How to change register globals to OFF

Post by xec » Wed Sep 21, 2005 10:30 am

What does register globals do?  ???

User avatar
MystaMax
Joomla! Explorer
Joomla! Explorer
Posts: 333
Joined: Thu Aug 18, 2005 4:55 am
Location: Atlanta, GA USA
Contact:

FAQ: How to change register globals to OFF

Post by MystaMax » Thu Sep 22, 2005 5:09 am

here is an article that pretty much sums register globals. You gotta have a little understanding of PHP. 

http://en.wikibooks.org/wiki/Programmin ... er_Globals

User avatar
guilliam
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4181
Joined: Thu Aug 18, 2005 10:27 am
Location: Sunny City Cebu, Philippines!
Contact:

FAQ: How to change register globals to OFF

Post by guilliam » Fri Sep 23, 2005 11:23 am

Code: Select all

##
# @version $Id: htaccess.txt 47 2005-09-15 02:55:27Z rhuk $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##

#
#  mod_rewrite in use
#

RewriteEngine On

#  Uncomment following line if your webserver's URL 
#  is not directly related to physical file paths.
#  Update YourJoomlaDirectory (just / for root)

# RewriteBase /YourJoomlaDirectory

#
#  Rules
#

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php

php_flag register_globals off
^^the joomla version..  ;)
"I was one of those who wondered why people would pay so much $$$$ to do something that was so much fun!" -R. Harkrider, Fortran Code Engr.

http://www.joomlaconsultancy.net

Lingo
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Tue Sep 27, 2005 1:31 am
Location: Canada

FAQ: How to change register globals to OFF

Post by Lingo » Tue Oct 25, 2005 5:47 pm

My htaccess has an extra line on bottom which is the next line here.
I have added the register globals off but my information says that they are still on. Where may the problem lie

RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php


php_flag register_globals off


Lingo

User avatar
charlwillia6
Joomla! Guru
Joomla! Guru
Posts: 687
Joined: Tue Aug 23, 2005 9:45 am
Location: La Grande, Oregon
Contact:

FAQ: How to change register globals to OFF

Post by charlwillia6 » Mon Nov 14, 2005 1:27 am

Ok, so the registered globals should be off.  But what happens if they are off and Joomla keeps saying they are on? 

I verified they were off by using a phpinfo file, and the settings in Joomla and the phpinfo tab in Joomla still says they are on.

First, is this a Joomla bug?  And does this matter?
From the beginning...

User avatar
rsphaeroides
Joomla! Ace
Joomla! Ace
Posts: 1369
Joined: Sun Aug 21, 2005 2:57 pm
Location: Colorado, USA
Contact:

FAQ: How to change register globals to OFF

Post by rsphaeroides » Fri Dec 02, 2005 6:20 pm

How do multiple .htaccess files interact?  I have my site installed in a directory below root /travel/mamboinstallation, and there are .htaccess files in / and in /travel.  I've added the "php_flag register_globals off" to /travel/.htaccess  Is this sufficient and safe?

Thanks
¡Pura Vida!
Ray,
joomla in testing at Costa Rica Travel: http://costaricamap.net
http://costa-rica-guide.com

daskog
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun Sep 18, 2005 2:51 am
Location: Norway

FAQ: How to change register globals to OFF

Post by daskog » Sun Apr 16, 2006 11:48 am

Thanks..

User avatar
puthupa
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Fri Aug 11, 2006 3:42 pm
Location: ny, ny

FAQ: How to change register globals to OFF

Post by puthupa » Mon Aug 14, 2006 11:00 pm

thanks for the info.  i've added the line to end of the .htaccess file, but the pre-install check still shows Register Globals as ON.  is this normal?  i'm going to go ahead with the install since i want to get started learning about Joomla, but how will this affect a live site?  i read the wiki link and due to my lack of php knowledge, i didn't get very much out of it.

User avatar
fugazer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 209
Joined: Sun Mar 12, 2006 5:34 am

FAQ: How to change register globals to OFF

Post by fugazer » Mon Sep 25, 2006 9:48 pm

having the same problem.. i changed register_globals = Off with my htaccess.txt


keep in mind I'm running JSAS, does this have anything do to with the warning I'm still receiving under version 1.0.11??
Yes! I always have coffee when I watch radar. You know that.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

FAQ: How to change register globals to OFF

Post by mcsmom » Tue Sep 26, 2006 10:50 am

What is the exact warning message? Is it global registers or global registers emunlation.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

FAQ: How to change register globals to OFF

Post by brad » Tue Sep 26, 2006 11:54 am

Can I just add, turning off register globals in this way is near useless... it only means YOUR site won't be the source of a server exploit, however you can/will still be exploited via another site on the server.

If a host does not set register globals to off by default they are showing they don't really care about security. Since php 4.2.x register globals is off by default.

harryonline_at
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Thu Mar 30, 2006 4:17 pm

FAQ: How to change register globals to OFF

Post by harryonline_at » Thu Oct 19, 2006 1:31 pm

Just let me add the following:

Since about 2003, the Register_Globals problem is officially known by everybody who has some little skills in PHP.
I still wonder why there are providers offering shared servers with activated register_globals.

Even on my local machine for testing and development, I have turned off register_globals.

For God's sake, it can't be that difficult to turn that off! When leaving home, you also lock your door and do not put the key under your doormat or into the flower pot beside your door, don't you?

Harald

MrEdz
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Sat Dec 23, 2006 12:03 am

Re: DISCUSSION: How to change register globals to OFF

Post by MrEdz » Sat Dec 23, 2006 5:20 am

Im a newbie and just a few days ago I set up my joomla site and registered a domain.  Since I installed Joomla from the fantastico program from my webhost im wondering where exactly is this php global file? I have a site im almost done doing all the cosmetic work but I cant "officially" launch it till i solve this security issue.  Please help

sludge
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Nov 07, 2006 12:43 am

Re: DISCUSSION: How to change register globals to OFF

Post by sludge » Sun Mar 25, 2007 5:10 pm

I am in the grey are between "newbie" and "lurker", but here's my first post.

I've just gone through a strange experience with register globals and thought I might post here in case someone else encounters the same problem. 

I created a Joomla installation at root of an add-on domain ("Site B").  I also had a pre-existing Joomla installation which I had manually upgraded* ("Site A").  Obviously these are for different websites.

I had long ago been successful in turning off register globals from Site A.

After installing Site B, I checked everything for the correct settings.  To refresh ourselves, the key files are:
globals.php
php.ini
.htaccess

My new settings for Site B appeared to duplicate those of Site A, and I also checked the FAQ and this thread.  Still, my Site B admin panel presented the red warning message (kudos to the person who scripted the security warning). 

Finally, my host advised to copy php.ini from Joomla root /www/Site B/ into the /www/Site B/administrator/ folder.  It worked.

Curiously, I do have a php.ini file sitting in /www/Site A/administrator/ which is an empty file. 

Can anyone tell me why one installation needed it and the other didn't?  Both are Joomla 1.0.12

Host Versions as follows:
Apache version 1.3.37 (Unix)
MySQL version 4.1.21-standard
PHP version 5.0.5

Thanks if you can explain this!

* I do not recommend using your host interface (cpanel/add-on scripts/fantastico etc.) to do the push button upgrade for Joomla.  Joomla's instructions for upgrading manually are clear and the process is pretty quick once you get into it - it will ultimately save you time and headaches.
Last edited by sludge on Sun Mar 25, 2007 5:12 pm, edited 1 time in total.

User avatar
vallesano
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Aug 06, 2006 5:57 pm

Re: DISCUSSION: How to change register globals to OFF

Post by vallesano » Fri Sep 14, 2007 4:11 pm

Thanks to sludge!
I was having trouble getting register globals turned off - as many posting on these pages have experienced.  In fact, the solution provided in the thread pointed to by the error message itself, http://forum.joomla.org/index.php?topic=1030.msg92433, was causing the server to error out.  So.. . after reading this thread, especially sludge's post, I tried copying my php.ini file into my joomla! admin directory.  That still didn't work so, I followed a hunch, or you could call it a brute force (emphasis on the 'brute' part) or trial-and-error tehnique, I copied my php.ini file to my web documents root dir (in my case /public_html/)  and voila!  No more error message.

Some background...
  • 1) I have several installations of Joomla! in subdirectories below /publichtml/, the install for which I was trying to turn off register globals was one of these.
  • 2) After successfully turning off register globals upon installation of 1.0.12, the error message appeared again after upgrading to 1.0.13 by extracting the contents of the upgrade file in the Joomla! root dir.  This behavior was exhibited by every 1.0.12 install upon upgrading to 1.0.13 by the same method.
Some brute force/trial-and-error speculation...
I wonder if it takes a while for the change in php.ini to 'propagate' through the system (pardon my massive technical ignorance) or if the register globals = on condition is 'cached' somewhere (in my browser? seems doubtful), or some other similar phenomenon.  I mention this because having successfully turned register globals off, when I began to write this post and wanted to quote the thread pointed to by the error message in the back end of Joomla!,http://forum.joomla.org/index.php?topic=1030.msg92433, even removing both the instances of php.ini (one in the Joomla! root and the other in the web docs root) I could not recreate the error!!!

Edited to add URL's
Last edited by vallesano on Sat Sep 15, 2007 3:49 pm, edited 1 time in total.
What you are now reading, I am now writing.
                            -Douglas Hofstadter


Locked

Return to “FAQ Discussion Board”