Register globals in php.ini

Hello,

Check your global php.ini file and set the option to "register_globals = On" and then restart apache. If you want to enable it for a particular domain, Edit httpd.conf and select the Vhost entry and add "php_admin_flag register_globals on" then restart apache, It will help you

 

To have register globals On in your php.ini is not suggested as it is very insecure...
either add it in you httpd.conf or you can add it in the .htaccess of that domain

 

You can do it for your account by adding the following line in the .htaccess file:

php_flag register_globals on

But make sure you cannot alter the php.ini settings with .htaccess when running PHP as cgi/phpsuexec.

Check this link,

http://webhostingtalk.com/showthread.php?t=421482

 

Yes, thats correct.

 

Open httpd.conf in any editor pico or vi as

vi /usr/local/apache/conf/httpd.conf

search for the domain name for which you want to have register_globals on. Lets say you want to turn register_globals on for domain.com then search domain.com in httpd.conf,you will find a Virtualhost section for domain.com as mentioned below and add php_admin_flag register_globals on in this section as I added:

Then save the httpd.conf file and restart apache.

As I mentioned before you can also do this for a particular site by adding the following line in the public_html/.htaccess file of that site:

php_flag register_globals on

 

If you have PHP compiled as Apache module just put php_flag register_globals on into VirtualHosts of needed sites in httpd.conf or the .htaccess that is located in the folder where register_globals should be enabled.

If PHP is compiled as PHPSuExec (CGI) you should put php variables (in our case register_globals) into php.ini in the folder where php scripts are located. Just create php.ini and put the following line:

register_globals = On

PHP variables can be also set in httpd.conf, but make sure they are added correctly as in the example below:

<VirtualHost 127.0.0.1>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /home/username/public_html
BytesLog domlogs/domain.com-bytes_log
ServerName www.domain.com
User username
Group username
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/
<IfModule mod_php4.c>
php_flag register_globals on
</IfModule>
</VirtualHost>

or just put the following lines into the file .htaccess:
<IfModule mod_php4.c>
php_flag register_globals on
</IfModule>

 

Indeed it is insecure.. but only if you have bad clients on your server and chances for the server to get compromised is high if you provide ssh with register_globals On

 

It's insecure for a whole lot of more reasons. Basically any php script that uses global variables has the potential to offer a hacker easy access to the server if php code doesn't do proper sanity checking. I fail to see why having SSH access makes it any more or less secure with register_globals.

 

Other solutions

Instead of turning this on globally you have two options: (One of them i used myself on a CPanel account with register globals off) :p

1.

Use extract() to great the register globals effect: By putting something like :
extract($_POST); or extract($_GET); at the top of the php script will probably help you out no end...
You can do this for every file to make sure the site works.

I personally use extract on $post and $get but provide sanity checking and validation on the user inputted data first

2.

As the other posts mentioned:
For Apache users or webhosters, you can set the
php_flag register_globals on/off in a VirtualHost context. This would enable you to enable this on a specific users account and not give everyone register globals access.

Although it will work in httpd.conf - putting register globals on in .htaccess will cause an internal server error.

3.

If you're on a shared environment, and have no way of disabling register_globals, this little "unregister_globals" snippet could come in handy:

Code:

<?php
if (@ini_get('register_globals'))
   foreach ($_REQUEST as $key => $value)
       unset($GLOBALS[$key]);
?>

Other very helpful stuff here: Register globals - php.net
note: Dont forget to do sanity checking and validation of course very important stuff...