register_globals off in PHP 4 (joomla)

Hello there,

My apologies for posting what is probably a redundant question, but is there an Idiot's Guide to doing a custom php.ini file? The most recent upgrade of Joomla recommends that register_globals be switched off. I've tried modifying my .htaccess file as suggested on the joomla forums, but it doesn't seem to work on Dreamhost. Unfortunately I have ZERO experience with UNIX. Is there any chance I can do this without seriously messing up my site?

Any help appreciated.

Thanks.

Switch to using PHP5. register_globals is disabled by default, and Joomla should work just fine.

Thanks for your reply. If I switch to PHP5 does this mean I have to re-install Joomla?

I'm afraid I don't know the answer to that. You could always set up a subdomain to test this in advance.

In reply to:

---

If I switch to PHP5 does this mean I have to re-install Joomla?

---

Nope! Joomla! works fine with PHP5.

You might want to understand, however, that Joomla! will also "complain" about one of the settings in DH's PHP5. The issue *there* is "magic_quotes",

None of this is really as relevant as the Joomla! developers (understandably, given the programming abilities of many/most Joomla! users) might have you believe; they have taken the route of being *very* pro-active regarding security and now choose to issue warnings if there is even the remotest possibility of an exploitable "hole" in a poorly coded component.

The "core" Joomla! is very robust, and neither the register_globals or magic_quotes issue is a real issue with *that* code - the problem is in the plethora of add-ons and components available and their greatly differing quality and attention to secure coding.

To me, the "register_globals" being on is the greater problem. My tests have shown that:

1) Using PHP4, you will get warned about register_globals, but magic_quotes is set as recommended.

2) Using PHP5, you will not have the register_globals warning, but you will be warned about magic_quotes.

The only way I have found to eliminate *all* warnings on DH, is to use a customized php.ini or custom php installation.

That said, when you originally asked about the "idiot's guide", I was not sure if you had seen the DH wiki article on customizing php.ini and thought it was too complicated, or if you are not aware of its existence.

If you carefully follow the instructions, it is really not that hard to do - but if the steps involved are totally foreign to you, you are probably well advised to forgo attempting it until you feel reasonably comfortable working in the shell.

--rlparker

To reiterate, there are no problems with Joomla when switching from PHP4 to PHP5. I've gone between the two a couple times and never had to change anything.

Even when using PHP5 with register_globals off, you very easily could still see the warning message about them being enabled. Keep in mind that Joomla has a feature to emulate register_globals even when they're disabled in PHP, for backward compatibility with older modules requiring it.

Double check the 'RG_EMULATION' setting in your globals.php and make sure it's set to false for best security. If you're using any modules that depend on that setting, uninstall them and find a better alternative.

/**
 * Use 1 to emulate register_globals = on
 * WARNING: SETTING TO 1 MAY BE REQUIRED FOR BACKWARD COMPATIBILITY
 * OF SOME THIRD-PARTY COMPONENTS BUT IS NOT RECOMMENDED
 * 
 * Use 0 to emulate regsiter_globals = off
 * NOTE: THIS IS THE RECOMMENDED SETTING FOR YOUR SITE BUT YOU MAY
 * EXPERIENCE PROBLEMS WITH SOME THIRD-PARTY COMPONENTS
 */
define( 'RG_EMULATION', 0 );