I know this borders on the line of Apache/PHP install/config options but I hope you guys can help me. I have posted this on Drupal and a few other sites with no resolve. I am trying to install Drupal(a simple CMS) on a webserver that has register_globals enabled. I need to disable them for Drupal to work and have scoured the web for 2 days looking for a solution but nothing works. The host is willing to help with any type of workaround that would affect just me but can’t disable the globals affecting all. This is what I have tried so far:

I created a custom php.ini file to use in my directory but it’s not using it. I used an ini file with just the setting I wanted changed: register_globals = Off then I tried a copy of hosts default ini with that one thing changed. Still nothing. To test I put in a file to show the phpinfo and it states that it is NOT using my custom ini.

So my next option was an .htaccess file to override that setting;
I created one with the following info only(php_flag register_globals off) but I get an Internal Server Error 500.
Then I created another with the following but it gave the same error.

PHP 5, Apache 1 and 2.

php_value register_globals 0

Th host assured me AllowOverride All is on.

The log from host shows:
[Sat Feb 02 17:47:25 2008] [alert] [client ************] /home//public_html/.htaccess: Options not allowed here
[Sat Feb 02 17:49:56 2008] [alert] [client ************] /home//public_html/.htaccess: php_flag not allowed here

Does anyone know what we need to enable or change to allow custom ini/htaccess files?

What you need to do first is convince your host of the serious security issues of enabling register_globals. The host machine could be compromised by flawed code depending on register_globals.

What you can try to bypass is use the ini_set() function to override the register_globals value. The con of this function is that you’ll need to set it on a per-file basis (so every file that checks the value of register_globals will need to have the ini_set() function).

That’s excellent Zyppora, I will get to work researching that function. The CMS I’m using (Drupal) will (i believe) run with registers enabled, it’s just the initial check on install I neeed to bypass. Unfortunately I wasn’t sure how to remove that check and getting very little help on Drupal forums. If anyone has links to reports or news topics about comprimised systems running with register_globals enabled I would greatly appreciate it. I plan to push to have them disabled. I will be searching for the info on my own as soon as I get to test out Zyppora’s suggestion.

Thank You

EDIT

Unfortunately it did not work. I added the following to the index.php & install.php then I checked the requires and includes on both of those files and added it to all that I found, still getting the error that register_globals is enabled.

ini_set('register_globals','0');

I guess your last option is to trace down and comment out the check for register_globals in the Drupal code. Please realize that this check is a safety check though, and could imply that Drupal’s code is not safe in a register_globals-enabled environment.

On the security issue, I can’t give you any examples of spectacular website hackings off the top of my head, but doing some googling or searching for references from the tutorial sites discussing this issue should get you some hits.