PHP security

Hi gents,

Just as many of you I am using Joomla on quite a number of my sites. The recent version was kind enough to warn me though that my magic_quotes_gpc settings are not set ON [along with RG_EMULATION].

I did some research and found out that these values are used to help with security issues for applications that are written poorly enough and can be hacked. SQL injection and what not.

I found out that these settings can be changed in php.ini. I guess my first question would be, do I have access to that? I figure I don’t.

Secondly is it possible to switch off these bits?

Thirdly if not what are the reasons for keeping them off?

Thanks for answering.

In reply to:

---

I guess my first question would be, do I have access to that? I figure I don’t.

---

You don't have access to php.ini for the default DreamHost install of PHP, but you can copy the PHP executable and php.ini file to your domain and configure things to use this install. You may then modify settings in this local php.ini file. See the wiki article below for more details.

http://wiki.dreamhost.com/index.php/PHP.ini

Mark

There are a couple of fairly recent threads on this forum where users successfully accomplish just what you are inquiring about. Just search the forum for using keywords "Joomla" and "php.ini"

Edited to Provide links to prior relevant threads:

Prior Thread #1 - re. Modifying php.ini for Joomla! on Dreamhost
Prior Thread #2 - re. Modifying php.ini for Joomla! on Dreamhost

--rlparker

Thanks Raz2133

I've followed the wiki link all the way where you create a ..htaccess file. The files were copied successfully.

I added just like specified the lines:
AddHandler php-cgi .php
Action php-cgi /cgi-bin/php.cgi

But now i get the following error:

The requested URL /cgi-bin/php.cgi/home/index.php was not found on this server.

Thank you for your help.

In reply to:

---

The requested URL /cgi-bin/php.cgi/home/index.php was not found on this server.

---

I recall seeing this exact error when I first manually copied the php5.cgi and php.ini files to one of my domains. It turned out that the cgi file was named php5.cgi, while my .htaccess file was referring to php.cgi

Confirm that the name of the cgi file matches your .htaccess file and that it is located in the /cgi-bin/ directory.

Mark

I've checked my directory and it looks like I have the correct set of requirements:

/cgi-bin/php.cgi
/cgi-bin/php.ini

Now should php.ini be a duplicate of origiinal php.ini file with one line changed? ie: magic_quotes_gpc on
Or should it only contain one line: magic_quotes_gpc on?

php.cgi seems to be a compiled file [I don't modify it], do you happen to know why I need it in there?

In reply to:

---

/cgi-bin/php.cgi
/cgi-bin/php.ini

---

Of-course, this /cgi-bin/ directory should be within your domain directory ie: mydomain.com/cgi-bin/

In reply to:

---

should php.ini be a duplicate of origiinal php.ini file with one line changed?

---

Yes, you leave the php.ini file mostly as-is and just change the options that you need to.

In reply to:

---

php.cgi seems to be a compiled file [I don't modify it], do you happen to know why I need it in there?

---

The PHP executable (php.cgi) will by default look for the php.ini file in its own directory. Copying just php.ini would not suffice, as the original executable would not be using this local php.ini file.

So basically, you need to copy php.cgi and configure your domain to use this copied version so that your new modified php.ini file actually gets used.

Mark