Home/Linux Howtos/How To enable register_globals for a single virtual host on apache

How To enable register_globals for a single virtual host on apache

How to enable register_globals for a virtual host on apache

The Problem

You just finished implementing your portal or ecommerce web application and are ready to deploy. Because it is based on legacy (old) code, it utilizes a php feature which used to be enabled by default. However because the feature was often used incorrectly by inexperienced web developers not familiar with clean and secure coding practices, it can lead to easy-to-exploit security holes.

In response to the potential security risk Zend (the group which developed php) elected to ship PHP with register_globals turned off by default in php.ini as of 4.2.0 and now consider it a deprecated feature (by deprecated what is meant is that the feature is going away at some point). The feature could not be pulled because the feature was relied upon heavily in many applications.

Furthermore, many web hosts will not enable this feature on the server for you. Since you have completed your application, and it's coded using sound programming techniques, you are confident that your application is not susceptible to the potential exploits, and you sure aren't going to rearchitect the application at this point. You're wondering what solution you can find? You really like the hosting service you are using, and there is not time to switch hosts and meet your deadline. What is the solution?

There's hope!

Don't worry, there's hope! When writing a quick script to determine which php features you do and don't have access to you notice something:

The php script to check php settings:

<?php phpinfo(); ?>

The php script output (well, an excerpt from it):

php core register globals off
 

What you notice is that each php core directive has a "Local Value" and a "Master Value" - and although you are not a sysadmin or network administrator you realize that this must be able to help you in some way.

The Solution: Enabling register_globals on a per-virtual-server basis

Providing your host has enabled AllowOverrides for your account, you can enable register_globals for your web application via your .htaccess file!

Here is how to enable register_globals via .htaccess:

1. Create an .htaccess in your virtual host's root directory
2. put the following code in it: # Override PHP settings. The first IfModule is # for Apache 1.3, the second for Apache 2. php_value register_globals 1 php_value register_globals 1
3. Save the settings
4. Run your previous phpinfo script and check the settings. register_globals will now be enabled for your virtual host!

register globals on for virtual host
 

As you can see, phpinfo now reports your local value for the register_global directive as on.

5. Test your application

If this does not solve the problem then your host needs to enable AllowOverrides. Also note: some hosts rename .htaccess to something else, so if no .htaccess directives work at all, contact your host to find out what the correct name for .htaccess is.

The best part of being able to drive php directives in .htaccess is that you don't even need to restart apache make the change; they take effect somewhere between immediate to a few seconds after saving the file.