PHP and Joomla


#1

I’m thru the one-click install of Joomla.

The Joomla pre-install check flagged that the following:


Following PHP Server Settings are not optimal for Security and it is recommended to change them:

  • PHP register_globals setting is ON instead of OFF

Which begs the questions: how do I change them? should I? I’m not running a commerce site, so I need good-enough security, not credit-card level security…

Thoughts?

Thanks
-w


#2

It looks like you’re running PHP 4 for the domain.

If there’s nothing else on the domain that will break under PHP 5, you can change to PHP 5 via the dreamhost panel.

If in doubt, try it briefly - you can always switch back if anything is acting suspiciously.

You’ll now get different warnings about “magic_quotes_gpc” and “RG_EMULATION”. You can ignore these though. There’s nothing to worry about.

Cheers,
Karl

web design, development & seo by DigitalVibe


#3

Don’t change them, it’ll still run. Having them ON is a security risk.

-Scott


#4

You can add a directive in .htaccess to switch magic_quotes_gpc off.

php_flag magic_quotes_gpc off

If you don’t already have a .htaccess* in your Joomla! folder you can create one.

  • It’s a hidden file, so turn hidden files on in your ftp client to check.

#5

Actually, as PHP runs as PHP-CGI on DreamHost, you cannot manipulate the setting of magic_quotes_gpc on DreamHost via .htaccess directives, so that will not work. :wink:

Magic_quotes_gpc is off by default in the DreamHost PHP5.X installation and on by default in the DreamHost PHP4.x installation.

There are other ways to manipulate the configuration setting, and they are described in the DH wiki article referenced above.

–rlparker


#6

Oops. The PHP-CGI caveat :s

I keep forgetting the first thing I did at DH was install a custom PHP.


#7

Magic Quotes in my Joomla are already OFF. That’s what the warning is about, and probably for most other people, too.

-Scott


#8

It depends on which version of PHP the users chose when setting up the account.

With PHP5 magic_quotes_gpc is OFF by default.

Back in PHP4 magic_quotes_gpc are ON by default (and you’ll get the warning when installing).


#9

Got it & thanks. I’m now on PHP 5.2.2 & happy.