My shared server provider has register_globals on. I checked by running
php_info(); from within a file. I would like to turn this off, but
asking them to turn it off just for me will not work.
I tried adding the following lines to the .htaccess file:
php_flag register_globals off
but that did not work. I thought that maybe the file is called
something else, and I could not find any file containing mod_php
anywhere on the server. Also, I can see that the addmodule line for
mod_php4.c is commented out in the httpd.conf file for the shared
I do not know how the server can serve php if that line is commented
Bottom line is: is the .htaccess approach the correct one? and does
anyone know how I can find out if I am using the correct filename?
phpinfo() says that I have PHP Version 4.3.11
I will leave phpinfo() running on the main page so that if someone
needs more information,
Web Server On Windows, With Register_globals On, How To Turn It Off Just On My Site?
web server is on windows, with register_globals on, how to turn it off just on my site? I cannot access the configuration file, and I cannot use .htaccess because it is on windows. How to turn off the register_gobals in this case?
for a stats program for a game, logs are sent to a perl file which saves data into a MySQL database then interpreted by PHP. when i try to check the stats it gives the error register_globals must be ENABLED
i went into php.ini and checked for a register_globals variable and i found this: register_globals = Off so of course i change it to: register_globals = On that didnt work so i also tried: register_globals = ON register_globals = on
it keeps saying that register_globals is still disabled though.... what is wrong? php.ini is in the windows folder where it should be.
I just took over the website at work. I am still learning PHP. Register_globals are on and the script appears to be coded to take advantage of this. I know how to recode the script, but am unsure how to turn them off when I am done. I have googled and came up with placing
php_flag register_globals off
in the .htaccess file.
I did this without recoding the script and the script still worked, so I am assuming I did not turn them off.
I'm running PHP 5.3.2, and I've checked the ini file, and it has register_globals Off, but when I check phpinfo();, it says that it's on as a Local Value, but Off as a Master Value. I tried echo $ID and inputed ?ID=2 into the URL and it echoes 2, so I'm pretty sure that it's still on. Can anyone tell me how to turn it off?
I have a client that brought to my attention a very interesting problem. If he has a website (www.domain.com) and he has a php page on it (order.php) that connects to the database. He has the user and pass in the page.
This is a linux server. It seems that another person on the server could just figure out what directory he is in. Then just do "vi order.php" so they could read the user and pass and then connect to the database and steal information.
I recently installed the Drupal CMS on my shared server. My problem is with "clean urls". When I run the clean urls test it seems to pass ok, but when I then enable clean urls the page loses all of its design (ie. logo, color, links do not work, etc.). I know there are some server things that need to be done and my host is telling me I cant do them because this is a shared server. They then told me that Drupal was not going to work for me. Will Drupal work on my shared server? Why is the site having this clean url problem? If Drupal will not work is there another CMS that already has clean urls?
I wish to use a PHP Framework such as Yii, however, it seems to set this up I need access to a terminal or console. Unfortunately my only access to the server is via an FTP client as it's shared hosting. Does this rule Yii out as a framework?
I have a client that would like to FTP a file from his website on a shared server to another site. We are able to FTP the file manually using FileZilla from my computer to the other site and would like to build the same functionality into a PHP script that executes on the website via a CRON job. The goal is automatic file transfer on a specific date.
The problem I am having is that ftp_connect command in the PHP script fails to connect.
Should I use a port other than 21 in shared environment?
The ISP (Bluehost) says that they are not preventing the connection.
I want to add the following settings to my server:
ServerSignature Off ServerTokens Prod
However after research I have to add these settings in my httpd.conf or apache2.conf file. It wont work in my php.ini or .htaccess on my public webroot. If I have not got access to these two server files (httpd.conf or apache2.conf) how can I get access or is there an alternative way to get these settings to work. It is a security issue I need to sort out ASAP.
I have a very cheap php-enabled linux hosting account.
Unfortunately, this host does not have some extensions enabled which I need, namely, the dom-xml and xslt extensions.
Assuming that the server admins ignore my pleas, is there a way to locally enable these extensions for my account, with a local copy of php.ini, or local copies of the proper *.so files, or some magic in the .htaccess file?
My shared host used to have Php configured such that I could place a php.ini file into any directory on my site and that was the php.ini file that the Php cgi would use when it ran scripts.
Since upgrading to Php5.1 that is no longer possible (not allowed in Php5.1 (?) ).
Anyway, ... this was a very handy way for me to set the include path so that I could keep files with sensitive data (e.g., database usernames, passwords) out of the site's public path.
My hosting service has actually rolled back to Php5.0 so that I could continue doing as I had been ... with the caveat that they will ultimately have to go with 5.1.
So, I have a set of questions.
1. Is there another way that I can set the include path globally for my site? (Adding them to htaccess throws a 500 server error.)
2. How much security is really gained by moving sensitive include files out of the site path (my include files all use the .php extension)? Should I even be that concerned about this capability?
3. Would I gain the same security if I changed my current include files (which I would have to put back into the public site path) to do nothing but set include_path outside the public site and then include a new, secondary file which actually contains the sensitive data?
4. Does anyone know why I *can* use local php.ini files in 5.01 and not in 5.1?
My website uses sessions for the usual malarkey - user logins, etc. I'm on a shared server, with sessions saved in '/tmp'. I've been told that this is prone to sessions hijacking, since the whole server's session files are stored in that directory, not each domain/subdomain having its own '/tmp' directory. (The server's using Red Hat)
If they're vulnerable in here, what's the best course of action to take? I can't create directories outside my webroot (except in cgi/bin) so a custom directory is out of the question (again, unless I can use cgi/bin? doesn't seem a good idea). I'm thinking then, of a database/cookies solution, storing a 'session' cookie on the user's computer with the value of a hashed session id, which then points to the appropriate row in a 'sessions' table in the database.
Can anyone point me in the direction of a suitable session database class, incidentally?Could anyone advise me on this? What do you gurus do about session handling (please don't say "buy a dedicated server" because I can't! :D ) I've been using the /tmp dir for nearly two years now without any problems, but have only just got round to think seriously about session security.
I need to rewrite URLs. The problem is that I am developing in PHP on an ISAPI server. An additional problem is that I am not the owner/manager of the server.Is there any way to rewrite URLs for PHP on a shared ISAPI server?
I have created a project(on my Localhost) in symfony(PHP Framework), and need to upload it on server(i.e the WEB Server), but i dont know how to do that, i got many methods on net, but i was not able to follow that.
Shared-server environment for various and sundry web services.I think we've settled on setting disable_functions and disable_classes site wide in php.ini and php_admin_value to force open_basedir in each app's httpd.conf for php scripts, and passenger's user switching for ruby scripts.We still need to find something for python though.Passenger does support python, but not for per-application security for specific sub-directories(it's all or nothing at the domain level).(And if any of the previous doesn't make sense-well, I'm the guy who's supposed to set up the python support, not the guy who set up the php or ruby support, so there's still some "and then some magic happens" steps in there from my perspective).
i was wondering if there is any way to turn my website into a proxy server ..i found plenty of scripts using PHP but they all require navigating to site in order to use the proxy, but what i really want is a script that enables me to access the site via browser configuration like in firefox when you enter the IP and port number in the options dialog, is there any kind of scripts that does that ?
We all know that HTTP uses port 80, what if i put my server's ip and the port 80 in the browser's proxy setting, will the browser sends the HTTP requests to my index.php which will fetch the website from server side and return response headers and body?
Calculate Server Load - Turn This Server Load Into A Percentile Scale?
How do you calculate the server load of PHP/apache? I know in vBulletin forums there's the server load displayed like 0.03 0.01 0.04 but it's not really understandable to a average joe. So I thought about a 1-100 percentile scale. I wanted to display a server load visual that reads from a DIV:
$load = $serverLoad*100; <div class="serverLoad"> <div style="width: $load%;"></div>//show visual for server load on a 1-100 % scale[code]....
However, I don't know how to detect server load.Is it possible to do turn this server load into a percentile scale? I don't know where to start.