By kristinecummins on

I have created a directory on the server /cms/ where the Drupal files are. I have created php.ini with "php_flag register_globals 0", have tried "php_flag register_globals off" to no avail. I created a .htaccess file with the same code and does not work. I've uploaded these files in the top level and in /cms/. I have tweaked the .htaccess file that comes along with Drupal and that doesn't work either. This is my first stab at Drupal and can't get off square one. Any ideas?

Categories: Drupal 6.x

Comments

catch’s picture

catch
he/him
Primary language English
commented

Your best option is to contact your hosts and ask them to switch register_globals off on the server itself - it's a security issue and extremely bad practice to leave it enabled.

jumonjii’s picture

jumonjii commented

Worst case scenario you could comment out the part of Drupal install that checks.

My host has register globals disabled but Drupal still gave me that error.

kristinecummins’s picture

kristinecummins commented

GoDaddy refuses to help me because it's a scripting issue which they consider has nothing to do with them. If you could give me instruction on how to comment out that part of the install, I'd be so grateful.

jumonjii’s picture

jumonjii commented

In the bootstap.inc file:

About line 218, You'll see this code

/**
* Unsets all disallowed global variables. See $allowed for what's allowed.
*/
function drupal_unset_globals() {
if (ini_get('register_globals')) {
$allowed = array('_ENV' => 1, '_GET' => 1, '_POST' => 1, '_COOKIE' => 1, '_FILES' => 1, '_SERVER' => 1, '_REQUEST' => 1, 'access_check' => 1, 'GLOBALS' => 1);
foreach ($GLOBALS as $key => $value) {
if (!isset($allowed[$key])) {
unset($GLOBALS[$key]);
}
}
}
}

I just changed it to this:

/**
* Unsets all disallowed global variables. See $allowed for what's allowed.

function drupal_unset_globals() {
if (ini_get('register_globals')) {
$allowed = array('_ENV' => 1, '_GET' => 1, '_POST' => 1, '_COOKIE' => 1, '_FILES' => 1, '_SERVER' => 1, '_REQUEST' => 1, 'access_check' => 1, 'GLOBALS' => 1);
foreach ($GLOBALS as $key => $value) {
if (!isset($allowed[$key])) {
unset($GLOBALS[$key]);
}
}
}
}
*/

I did this for mine and was able to install Drupal no problem.

felix-vera’s picture

felix-vera commented

Hi all,

I'm having the same problems as kristinecummins. I tried jumonjii's solution and also commented out the place in the same file where the function is called, but I still got the error and cannot continue with the installation.

Does anybody know another trick to skip that checking?

It's going to take some time till I get an answer from the hosting company and I wanted to start tweaking with Drupal 6 as soon as possible.

Cheers!

jumonjii’s picture

jumonjii commented

Remove the section completely.

felix-vera’s picture

felix-vera commented

do you mean the whole case DRUPAL_BOOTSTRAP_CONFIGURATION: in the method function _drupal_bootstrap($phase)?

I tried that but still got the same error.

Or maybe you mean to remove something else?

felix-vera’s picture

felix-vera commented

Hi all,

If someone else has this problem, that's what I did to solve it.

In the file DRUPAL_ROOT/modules/system/system.install I commented out the register_globals check and set this variable to off manually.

I changed this (from line 54 in version 6.3):

if (!empty($register_globals) && strtolower($register_globals) != 'off') {
$requirements['php_register_globals']['description'] = $t('register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings.');
$requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
$requirements['php_register_globals']['value'] = $t("Enabled ('@value')", array('@value' => $register_globals));
}
else {
$requirements['php_register_globals']['value'] = $t('Disabled');
}

With this:

//if (!empty($register_globals) && strtolower($register_globals) != 'off') {
//$requirements['php_register_globals']['description'] = $t('register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings.');
//$requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
//$requirements['php_register_globals']['value'] = $t("Enabled ('@value')", array('@value' => $register_globals));
//}
//else {
//$requirements['php_register_globals']['value'] = $t('Disabled');
//}

$requirements['php_register_globals']['value'] = $t('Disabled');

Enjoy Drupal!

vevhlos’s picture

vevhlos commented

Or you can just change this line:

$register_globals = trim(ini_get('register_globals'));

in DRUPAL_ROOT/modules/system/system.install

to

$register_globals = "off"; //trim(ini_get('register_globals'));

Cheers.

headdragon’s picture

headdragon commented

That line of code is not in the release 7 bootstrap.inc file

catch’s picture

catch
he/him
Primary language English
commented

That "it's a scripting issue" answer should be translated to "find another hosting provider, we're not much good". It's a security issue and has everything to do with them.

See here: http://uk.php.net/register_globals

jonathan_w’s picture

jonathan_w
he/him
Primary language English
Location Omaha, NE, USA
commented

The way I solved this problem on my HostGator account was to copy the servers php.ini file (located at /usr/lib/php.ini) to my home directory (/home/MYUSERNAME/php.ini) and then edited it with the settings that I wanted. Then, I created an .htaccess file in the same directory with this in it:

<IfModule mod_suphp.c>
  suPHP_ConfigPath /home/MYUSERNAME
  <Files php.ini>
    order allow,deny
    deny from all
  </Files>
</IfModule>

FYI, my html files are stored in /home/MYUSERNAME/public_html. I got the solution from this thread: http://forums.hostgator.com/php-ini-without-copying-all-subdirectories-t...

I don't know if this will work for you, but I thought it was worth sharing.

lias’s picture

lias commented

I'll try it and post back. Thanks.

edited: techark fixed register_globals to off. didn't explain how but now it works with drupal.

flashwebcenter’s picture

flashwebcenter
he/him
Primary language English
Location Austin TX
commented

Thank you for the link and the help.

Best wishes,
Alaa Haddad
Website: https://www.alaahaddad.com/
Linkedin: https://www.linkedin.com/in/alaahaddad/

headdragon’s picture

headdragon commented

This is the only thing that fixed it. Some software need it on so that is why rented shared server hosts won't set it to off. Scroll down and look at the code section.

#
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.

Order allow,deny

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks
Options +SymLinksIfOwnerMatch

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php

# Force simple error message for requests for non-existent favicon.ico.

# There is no end quote below, for compatibility with Apache 1.3.
ErrorDocument 404 "The requested file favicon.ico was not found.

# Set the default handler.
DirectoryIndex index.php index.html index.htm

# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_initialize_variables() in
# includes/bootstrap.inc for settings that can be changed at runtime.

# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
  php_flag magic_quotes_gpc                 off
  php_flag magic_quotes_sybase              off
  php_flag register_globals                 off
  php_flag session.auto_start               off
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_flag mbstring.encoding_translation    off

# Requires mod_expires to be enabled.

# Enable expirations.
ExpiresActive On

# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600


# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off

# Various rewrite rules.

RewriteEngine on

# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]

# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]

# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /

# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]

# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.

# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]

# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]

# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]


# Serve correct encoding type.
Header append Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding