Joomla! PHP Globals Error

apps

#1

Can anyone help me out? I can’t seem to fix the error I’m getting in joomla! stating

" Following PHP Server Settings are not optimal for Security and it is recommended to change them:

  • PHP register_globals setting is ON instead of OFF"

I’ve added the command already in my htaccess.txt file but it’s still not getting rid of the error. Any help would be greatly appreciated!

Michael


#2

This isn’t really an error, more a warning that the setting isn’t optimal from a security perspective. Joomla should still function fine despite the warning.

DreamHosts default PHP4 install has register_globals set to ON, while the DreamHost default PHP5 install has register_globals set to OFF, so a simple fix would be to set your domain to use PHP5.

However, setting your domain to PHP5 will more than likely cause Joomla to warn you about the magic_quotes_gpc setting, but I believe this is a less severe security risk than register_globals being ON.

You can change the magic_quotes_gpc setting for PHP 5 or the register_globals setting for PHP4, but this involves copying the default DreamHost PHP executable and php.ini files to your domain, configuring your .htaccess file to use this local install then modifying the required php.ini settings. The general procedure is detailed in the wiki article linked below, but I should warn you that the procedure does require a fairly good working knowledge of the shell etc.

http://www.wiki.dreamhost.com/index.php/PHP.ini

Mark


Save [color=#CC0000]$50[/color] on DreamHost plans using [color=#CC0000]PRICESLASH[/color] promo code (Click for DreamHost promo code details)


#3

Set to PHP5 and ignore the magic_quote_gpc issue. It should be off. magic_quote_gpc is going to be removed come PHP6. Joomla just suggests it because it does provide a very minute bit of safety, but Joomla shouldn’t be counting on it.

To be honest, I don’t know why Joomla even suggests it on. That’s a bad suggestion. It should be off. No script should be using it. It’s just not safe enough. And even if scripts use it, they’ll just have to strip the slashes before they can use the data anyway – making magic_quote_gpc pointless.

Upgrade to PHP5, too, because everybody should be upgrading to it. There shouldn’t be any new sites, for the past year, still using PHP4.


limbo-postal# rm -rf /etc
limbo-postal#