Security

vinner45 · #1 03-01-2008, 04:02 AM

Hi ,
I am very new to web dev.
Can some one advise , how to set ""PHP register_globals off ""Please
,Is it possible thru cpanel or some other way?
thx

navaldesign · #2 03-01-2008, 09:28 AM

You need to submit a support ticket

vinner45 · #3 03-02-2008, 04:37 AM

Hi
I did that and they replied

''We cannot do this as we use SU_PHP, you would need to upload a
php.ini file to your public_html folder in order to get around
this.""
Please advise
Thx

navaldesign · #4 03-02-2008, 07:08 AM

Ok, so let's go this way as they have told you:

To set register_globals off you ned to create a local php.ini file that will override the default values. <however, creating a partial php.ini file, might cause problems, so we will use another method: we will copy the default php.ini file, we will ONLY change the register_globals value to off, and WRITE the file into the folder you like.

To make things simpler, you should perform the operations that i will describe in the next part, directly into the folder that you want to set register_globals off for.

1st code:


<?php
// Put all the php.ini parameters you want to change below. One per line.
// Follow the example format $parm[] = "parameter = value";
$parm[] = "register_globals = Off";
// full unix path - location of the default php.ini file at your host
// you can determine the location of the default file using phpinfo()
$defaultPath = '/usr/local/lib/php.ini';
// full unix path - location where you want your custom php.ini file
//$customPath = "/path/php.ini";
$customPath = "php.ini";
// nothing should change below this line.
if (file_exists($defaultPath)) {
$contents = file_get_contents($defaultPath);
$contents .= "\n\n; MODIFIED THE FOLLOWING USER PARAMETERS:\n\n";
foreach ($parm as $value) $contents .= $value . " \n";
if (file_put_contents($customPath,$contents)) {
if (chmod($customPath,0600)) $message = "<b>PHP.INI File modified and copied.</b>";
else $message = "PROCCESS ERROR - Failed to upadate php.ini.";
} else {
$message = "PROCCESS ERROR - Failed to write php.ini file.";
}
} else {
$message = "PROCCESS ERROR - php.ini file not found.";
}
echo $message;
?>

Copy this code, paste it in Notepad, and save it as modify_php_ini.php . To achieve this you need to click on Save As, select File Type: All files, and save it as modify_php_ini.php

2nd code:

<?php
phpinfo();
?>

Copy it, paste it in Notepad, and Save As (after selecting File type: All files) phpinfo.php just as you did for the first code.

Upload both files in your folder (the one for which you wish to change the register_globals value).

Now, the second code is simply a php command that will display all your php settings. If you want to see for yourself, just type in your browser:

http://www.yourdomain/com/foldername/phpinfo.php Ofcourse, you need to replace foldername with the actual name of the folder where you have uploaded the files.

This will display all the info, and will allow you to verify that the loaded php.ini file path is actually /usr/local/lib/php.ini . If the displayed info is, for any reason, different, you need to modify this line:

$defaultPath = '/usr/local/lib/php.ini';

in the first code i provided.

Ok, once you have verified it, let's actually copy, and modify the php.ini file into our folder. We have assumed that you have uploaded the files in the interested folder.

Type in your browser:

http://www.yourdomain/com/foldername/modify_php_ini.php

This will activate the script. It will read the default php.ini file, it will modify the register_globals value to off, and it will place this modified file inside your folder, thus acheiving what you wanted. If the operation is succesfull, you will see this success message:

PHP.INI File modified and copied.

Good luck.

vinner45 · #5 03-12-2008, 10:13 AM

thanks Naval
Please confirm, to make register_global off, do I need to paste the code as it is( as you wrote) or I need to make some changes in it.
Thanks

navaldesign · #6 03-12-2008, 10:21 AM

Normally, you do not need to make any changes. The only case where a problem could arise, would be if the path to your server php.ini file is not '/usr/local/lib/php.ini' but this is rather improbable. In anycase, the script will report if it has created the local php.ini file or not.

if you first run the phpinfo.php then you will be able to see the correct path, and if different, modify the other script accordingly.

Vasili · #7 03-12-2008, 10:30 AM

You make it sound so easy, and as if I should have already known such stuff!

navaldesign · #8 03-12-2008, 10:48 AM

Hi Eric,

This is a method to override the default settings, that usually is not known to simple users, but are known to whoever builts scripts and needs to perform specific tasks. In example, a client of mine needed to be able to upload files up to 40 Mb, through a form. Normally, VH has this limit set to either 8 or (in some servers) to 20 Mb, so the same method is used to set the max upload file size to a larger number.

As you understand, i try to provide step by step instructions, because i don't expect the normal user to be familiar with this procedure. However, it actually IS easy when the correct instructions are provided.

Vasili · #9 03-12-2008, 10:53 AM

Katalveno. Efaristo!

(Nikta!)

navaldesign · #10 03-12-2008, 10:58 AM

Καληνυχτα Eric :)

vinner45 · #11 03-15-2008, 07:32 AM

Thanks Naval
I have downloaded these two codes in my WEB ROOT(public _html)
what should I do now Please.
How Can I change register global?
I am really dumm
Thanks

navaldesign · #12 03-15-2008, 07:55 AM

Just type in your browser

http://www.yourdomain.com/modify_php_ini.php where of course, you replace yourdomain.com with your actual domain name

vinner45 · #13 03-15-2008, 08:18 AM

Hi Naval
I am amazed with quick reply.
thx
Now when I put following with my domain name
http://www.yourdomain/com/foldername/modify_php_ini.php

it replied

PHP.INI File modified and copied.

but when see my cpanel it still says

PHP register_globals setting is `ON` instead of `OFF`
Please advise
THX

navaldesign · #14 03-15-2008, 08:33 AM

Seems rather improbable. Did you upload the second file ? if yes, then type in your browser http://www.yourdomain/phpinfo.php to see the actual settings of your site

vinner45 · #15 03-15-2008, 08:55 AM

I think I made mistake before,I reloaded phpinfo,
it worked
Now in php configration under php core it shows register-global 'off'
but cpanal shows still "on"
Please advise

navaldesign · #16 03-15-2008, 08:56 AM

Ok, i see that you have now uploaded the file. As you see, register_globals is set to Off as promissed.
What you see in CP (php settings) is what the server settings are, infact this is why you asked for a workaround.

Register_globals is ON for the server, but OFF for your own account and site.

vinner45 · #17 03-15-2008, 09:07 AM

Hi naval,
I am working in joomla,when I open CP it says

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`

Please check the Official Joomla! Server Security post for more information.

thats why I need to set it off but it is still "on"

thx

navaldesign · #18 03-15-2008, 09:10 AM

I had suggested that you did these operations in the interested folder. If this folder is "joomla" then there is where you should repeat the above tasks.