Godaddy: Here's how to turn Register Globals Off

[aimforgrowth]

This is so simple, is crazy.

1) Create a file called php.ini
2) In this file, code only the following:
3) Save this file, and upload as is to your root directory, (and only the root directory)
4) To show that this has indeed taken effect, you can now log into the admin of your Joomla site and you won't see those pesky errors anymore.  For those who want hard core evidence . . . . ;-) read on.
5) Create a file and name it anything you want.  ( I named mine phpinfo.php ).
6) Enter teh following code into this file, save it, and upload it anywhere on your site or sub-site.  Here is the code:
7) Browse to that file on your site.
Do a search for "register_globals" and you'll note that it states that your register_globals are "OFF".

Unless I'm mistaken, I don't need to put this file in every php directory on my site.  I have Joomla installed in a sub-directory off of my root, /websites/sitename, and I no longer get the pesky register_globals error.  Again, I hav ethe php.ini file in the root directory.

Hope this helps all the Godaddy hosted people. 

[Kingspawn]

This is so simple, is crazy.

1) Create a file called php.ini
2) In this file, code only the following:
3) Save this file, and upload as is to your root directory, (and only the root directory)
4) To show that this has indeed taken effect, you can now log into the admin of your Joomla site and you won't see those pesky errors anymore.  For those who want hard core evidence . . . . ;-) read on.
5) Create a file and name it anything you want.  ( I named mine phpinfo.php ).
6) Enter teh following code into this file, save it, and upload it anywhere on your site or sub-site.  Here is the code:
7) Browse to that file on your site.
Do a search for "register_globals" and you'll note that it states that your register_globals are "OFF".

Unless I'm mistaken, I don't need to put this file in every php directory on my site.  I have Joomla installed in a sub-directory off of my root, /websites/sitename, and I no longer get the pesky register_globals error.  Again, I hav ethe php.ini file in the root directory.

Hope this helps all the Godaddy hosted people. 

Ak my site is in the root. tried this no goo oh no....  

[vadimstr]

I am with hostgator and I have to put it in a lot of folders.
One which switched message off was administrator folder.
I was suggested by server help desk to put it in every folder.

Regards
Vadim

[intrigue]

why dont you just add this line at teh top of your .htaccess file

php_flag register_globals off

[vadimstr]

This is first what I did and it didn't do a thing.
Than I tried php.ini and it did the trick.

Vadim

[kolxoz]

I've tried everything above, plus created file following this script, and copied it in every directory, tested it with different variables. But nothing, error message still there!
Cotacted Godaddy, they say they have nothing to do with created php.in on your own. The bad thing is that I need also to increase upload limit but it doesnt seem that server sees that php.ini file...

Any suggestions?
thank You

[kolxoz]

That was pain in butt, after deleting all my .htaccess files (support said, they interfere with my php.ini settings) I had to just upgrade my server settings to configuration 2 in godaddy admin panel!

[cloverprime]

This is so simple, is crazy.

1) Create a file called php.ini
2) In this file, code only the following:
3) Save this file, and upload as is to your root directory, (and only the root directory)

Works for me...in less than 1 min

[Sundog_AK]

Also note for GoDaddy. If you are using htaccess to force use of PHP 5 instead of PHP 4 (for example using this in your htaccess in the root)

#Run PHP 5 instead of 4
AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

Then your "php.ini" file in your root directory has to be called "php5.ini"

Also, on GoDaddy, you must take into account that if you ADD a htaccess file where there was none in a specific folder, it CAN take up to 1 or 2 hours before the cache is cleared and the settings are used.  This drove me batty initially in trying to figure out why things were not working.  Once you have a htaccess file and you just MODIFY it (i.e,. don't delete, move around, but just change text within), it will work relatively instantly. 

[e85master]

Worked instantly for me on my Godaddy hosted site.

[keithdvo]

None of this is working for me. Do I need to give the server time to refresh the cache (it seems not because those who reported success reported that it was instant)?

My php.ini is in the root, but so is my Joomla installation. Is that that the problem? kolxoz reported a similar setup and said he went into some security panel, but I wasn't able to figure out what he did, by changing to a 2?

Originally my php.ini had one line that read:

rg_globals = off

I've also tried the following lines:

"register_global = off"
"register_globals = off" (added an "s")
(per this thread)

If anyone has any suggestions, I'm all ears and I would even be willing to call (I have VoIP so no long distance for the US). I really really want to get this up. I hope someone has a suggestion or two that might work!

Thanks in advance,

Keith

[Sundog_AK]

I assume you are on a shared server setup and not a virtual server.  If you are on a Shared server, that comment about the Security panel is not applicable, you cannot change anything that impacts the php.ini from the Hosting Control Center on shared setups. 

If you are adding to your php.ini file, it should be:

register_globals = off

Note: "S" at end of Globals. 

Place php.ini in root folder.  Joomla location doesn't matter.  My comment on it taking time for the cache was only for htaccess files, not the php.ini file.  It should work instantly for any php entries.  Again, note that if your using php5 you MUST have the ini file called php5.ini or none of your changes will work.  If you are using php4 (default Godaddy setup), then it should be called php.ini

Make sure you are not checking phpinfo settings via the Godaddy Hosting Control Center panel since this just shows the DEFAULT Godaddy settings, not anything you change via php.ini on your website.  It actually states this, at the top of the screen but it is easy to miss. 

To verify what your exact settings are for your setup including any php.ini changes, make a small script and run from a browser (make sure to delete later..it is a security risk!!).  This is the same comment as noted by first poster (steps 5 and 6)

Open up a text file and place the following:



Then call it test.php and upload to your site.  Then point your browser to (or where you uploaded)  http://www.mywebsite/test.php 

This will give you a phpinfo dump of your setup. If you are not getting register globals set to off in the php configuration core listing on the phpinfo dump, then something is whacked out.  Double check your files names, etc. 

For others, you cannot add php modification settings to the htaccess file on Godaddy shared servers.  They are either ignored, or result in 500 server errors.  All php modifications must be via the php.ini file. 

[keithdvo]

Thank you for replying!

I made the change to my php.ini as you suggested. According to the dump, I'm using PHP 4.3.11. When I checked the dump, the Local and Master Values both show register_globals set to "ON." I've deleted test.php. Other than php.ini, I'm not sure what other file names I should be checking, but the file is named correctly.

Is there anything else I can do?

Keith

[Sundog_AK]

The only other thing would be to try and use php5 and see if it is something peculiar to your setup. 

Add this to your root htaccess file:
#Run PHP 5 instead of 4
AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

This will tell programs running php to run the php5 version (really the way to go anyway, unless you have compatibility issues).  Then make a text file called php5.ini and place in your root directory (you do not need to delete php.ini file already there).

Note that if you do not have an existing htaccess file in your root, all this can take awhile for the servers to add your custom htaccess to the cache. 

Add the above directive in my previous email.  Run phpinfo again and see if that changes the value (after hour or so). If phpinfo still shows php4 as the version, wait 12 hours and come back.  After that, if you getting php5 showing as the version, and globals is still on, then it will be a tech call to Godaddy to figure out why your settings are not being applied. 

[keithdvo]

Good morning, and thanks again for this advice!

I called GoDaddy again and convinced them to look and see that it was PHP on the server, and not an application problem: using the test.php on my site for them to run is what did it I think, so thanks for that! They are supposed to fix it within the next 24-48 hours and email me back. I would have thought they'd have just done it, but perhaps the server needs to be bounced? Oh well, that will hopefull take care of it.

I'm not even sure if I have access to PHP5, though I suspect I do? If they don't get it working, perhaps that will be the next step, though that makes me nervous about all the new ways I could screw up. I did see an htaccess.txt file earlier why troubleshooting, but I could not for the life of me figure out what parts to comment out before renaming it .htaccess (or whatever).

Question: if I "upgrade" to PHP5, will that cause problems with my running apps? In addition to Joomla!, I installed WordPress and phpBB3 in their own subdirectories (Joomla! is in the root). Now, I think the confusing text in the htaccess.txt was from Joomla!, so it's clear that it needs a little assist for PHP5. Granted, the others might need the same, but I assume PHP is more like an environment, so it's not like I'd have to reinstall the apps? Just perhaps tweak an .ini or something?

Keith

[Sundog_AK]

According to the "feature" cross-reference, all shared hosting plans on GoDaddy (e.g., Economy, Deluxe, Premium) all have the ability to have custom php.ini files along with use of either php5 of php4.  So, you should be able to use either.  Interestingly, with php5, GoDaddy has globals off by default, whereas on php4, it is not. 

https://www.godaddy.com/gdshop/hosting/ ... =9009#tabs

As for problems, I haven't had any with Joomla, Gallery 2 (Menalto), or SMF on my production site. I have messed with phpBB 3 a bit since SMF and Joomla got a "code divorce" over this whole licensing mess.  I haven't had any phpBB issues.  In many cases, you will likely have to go to php5 for the next gen versions of any of the major php scripts (Gallery 2 for one).  So, I don't really know if there is any reason why it would cause problems unless you had some ancient php scripts.  I am sure someone will chime in if I am incorrect since most of what I know was a crash course in the last 9 months. 

As for the htaccess file, you should learn the ins and outs, it really is a good tool to help with keeping your site secure.  I do not use SEF, so the default settings in the Joomla htaccess are what I am using along with some custom stuff I trial/ errored over time to get to work (e.g., keeping people from leeching graphics, preventing access to key directories, custom error pages)

You definitely want your site to at least have the htaccess items in the Joomla version below the this line:

Code: Select all

########## Begin - Rewrite rules to block out some common exploits 

 
You will need the RewriteEngine On declaration as well. 

The htaccess entries can do funny things, so you are best to add things slowly, try out, make sure things work.  Make sure to turn on the error log in Godaddy control plan to look for errors.  GoDaddy pretty much blocks any "php" modification settings in htaccess entries, so you have to be a bit careful when looking at other examples on the Joomla forum but the security forum is a good place to read through for examples of good settings. 

Example, in your htaccess file:

Code: Select all

# deny access to all .log and .comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
Order allow,deny
Deny from all
Satisfy All
</Files>
# End deny access to .log and .comment files

That will block someone from reading your log and comment files.  Easy to add, and one less thing for someone to use to glean info to hack a site. 

Code: Select all

#No Directory Listing and Browsing
IndexIgnore */*
Options All -Indexes
# End deny directory listing

This set will prevent people from doing a directory listing on your site and cruising around where they shouldn't.

Htaccess settings can get complex depending on what you are trying to do but it is definitely worth getting the basics down (tons of web sites with examples/explanations better than I can give on what all of it means). 

[guysmiley]

As far as godaddy goes, my system shows global emulation OFF by default.  Am I missing something here?

[Sundog_AK]

On my setup, php4 had globals on by default whereas php5 was off by default (shared servers).