OS: Linux, php: v4.4.0, scripts are ran as CGI executables

Greetings, I have been trying to set up a cms for a group and I'm pretty new at all of this. here's my problem...

When I run a security mod on the site I am getting the following security errors:
'register_globals' : on Not secure
'allow_url_fopen' : on Not secure
'session.use_trans_sid' : on Not secure

After googling, emailing the host and trial and error I have discovered that I need to create a php.ini file. There is currently no .htaccess or php.ini file in the site.

My latest attempt at the code still gets the errors:
php.ini:

<?php
register_globals = off;
allow_url_fopen = off;
session.use_trans_sid = off;
?>

Is my code wrong or do I also need to create a .htaccess file?

Thanks in advance to anyone that can point this newb in the right direction,

Steve

    StevenB wrote:

    After googling, emailing the host and trial and error I have discovered that I need to create a php.ini file.

    I really doubt that. There is only one php.ini file that the entire system looks at... it's configured by whoever installs the webserver & PHP interpreter.

    Now, in a hosting environment, an .htaccess file would be the way to go. Create a .htaccess file in the root of your web directory, and use the appropriate command to change each value. For the different commands, see this man page: [man]configuration.changes[/man]

      Thanks for your response,

      The host recomended the phi.ini file. This was thier response:

      I'm sorry but we cannot alter these settings for the entire server due to security reasons.
      If you wish to change them just for your web site you can do so by creating a php.ini file in the main folder of your site. Once this is done, simply put in the necessary lines in order to alter the troublesome variables (for instance: register_globals=off).
      in this way you will overwrite the settings of the server only for your website

      I got an internal server error when I tried to create the .htaccess. When I contacted the host there reply was:

      1. Yes, applying these lines to the .htaccess files will cause the internal server error 500 to be generated because in our system PHP scripts are ran as CGI executables which means that whenever you try to use PHP directives in the .htaccess file they are not correctly recognised which in turn results to the aforemenntioned error.

      Sorry if I'm missing something but it sounds to me that I can have a php.ini for just my site. As I said I am new to all of this, but I refuse to give up!

      Steve

        Ah, didn't expect them to be running it as a CGI binary.

        In that case, try creating the php.ini file as they instructed. No <?php ?> tags, no semicolons.

          I had previosly tried that..

          register_globals=off
          allow_url_fopen=off
          session.use_trans_sid=off

          but I still get the security warnings.

          Sorry if this is a stupid question. Do I need to also have a .htaccess file for the php.ini to function?

          And another suggested possible solution was to use php_flag. My attempt did not work, but I may have a problem with my code. here it is:

          php_flag register_globals=off
          php_admin_flag allow_url_fopen=off
          php_flag session.use_trans_sid=off

          Any ideas or reffrence is greatly appreciated.

          Thanks,
          Steve

            I don't work with PHP as a CGI binary much, so I'm in the dark here as well. Since PHP isn't an Apache ISAPI module, the php_flag stuff won't work.

            If you followed their instructions to create a php.ini file and it still won't work, I would contact them and have them take a look at the file you created. See if they know what's wrong and can offer any advice.

              Thanks for your advice. Unfortunatly the host was not much help. They suggested I google my solution. I've been working on this for days and I might just have to change hosts if I can't find the answer today.

              For now I'll keep working on it., but just in case can anyone recomend a good host with php v4.xx, phpmyadmin, mysql, and a very good cp?

              I will be monitoring this post for any advice.

              Thanks,
              Steve

                As I said, I don't work with PHP as a CGI binary, so I'm out of suggestions. Sorry I couldn't be of much help.

                  Many hosts that allow you to modify the php.ini file (and run php cgi mode) will have a copy of the php.ini file for you to download - which you can then modify. I would ask for a copy of thiers (or search their KB or FAQ about the issue, perhaps tis linked there).

                  Then just scroll through, making the changes you need and upload to your root directory.

                  This is how it was at the host I worked for, as well as 2 other hosts I have used.

                  hth

                    11 days later

                    Ok I got a new host (that allows .htaccess) and I have gotten past the register_global problem, but I am still having problems with the .htacess.

                    I have enabled .htaccess on the site through the CP and this is my entire .htaccess:

                    allow_url_fopen=off
                    session.use_trans_sid=off

                    and that immidiately crashes the site. Can anyone point me in the right direction please?

                    TIA,
                    Steve

                      1. allow_url_fopen cannot be set in a .htacces file

                      2. That's not the correct syntax for a .htaccess file... try looking at this man page: [man]configuration.changes[/man]

                        Can anybody help with directions for that, just for Windows?

                          5 years later

                          I ran into the same problem and came across a great solution that worked for me.

                          I use godaddy as my hosting solution and they had told me to create my own php.ini file and upload it to the root level of my server. This did not work.

                          What worked:

                          create the php.ini file with the following:

                          memory_limit = 64M
                          post_max_size = 64M
                          file_uploads = On
                          upload_max_filesize = 64M

                          You can change the size limit to what you need.

                          If you're using wordpress like I am, upload this file to the wp-admin folder.

                          It should work. This solution worked great for me.

                          If you're using any other solution, try the root first, if that does not work try putting it in the admin folder.

                          Hope this helps.

                          Regards,

                          bspweb
                          http://www.bspdesigns.net

                            Write a Reply...