Last updated January 13, 2010. Created on February 15, 2008.
Edited by gpk, Wolfflow, Aren Cambre, keith.smith. Log in to edit this page.


N.B.: need to check whether it is possible to upgrade existing sites to 6.x/7.x when register_globals is enabled.

PHP's deprecated Register Globals feature is a general security risk, as discussed on that page. Under certain server configurations it can give rise to a specific cross site scripting vulnerability with Drupal core. The vulnerability is decribed in security announcement SA-2008-007.

Therefore, since versions 5.6 and 6.x, Drupal won't install on a server which has register_globals enabled; nor will you be able to upgrade an existing site to 6.x (need to check this). Instead, you will be presented with a message such as:

Incompatible environment
The following error must be resolved before you can continue the installation process:
register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings. (Currently using PHP register globals Enabled ('1'))

Note that the actual value of the register_globals setting under which Drupal is running is reported at the end of the message: 1 in this example.

Existing 5.x and 4.7.x sites will continue to run but will display a warning message in the admin area when upgraded to 5.6 and higher or 4.7.11 and higher.

How to disable register_globals

If you use shared hosting it may be best to try persuading your host to turn this feature off. Failing that, or if using your own server or VPS or localhost installation, you can try these approaches. Note that the configuration of the server may prevent them from having the desired effect, in which case you will need to speak to your host.

If PHP is running as CGI (how can I tell?)

You can try using a custom php.ini file located in Drupal's root folder (i.e. the folder containing Drupal's index.php). This will only work if your host has enabled the use of custom php.ini files.

So, create a file named php.ini in Drupal's root folder with the following line:
register_globals = off

If php.ini already exists then add the above line to it.

If this works, and if you created a new php.ini file, you may want to follow the instructions on the page Creating a custom php.ini using the server default php.ini and configuration settings in order to avoid inadvertently changing some of the server's PHP configuration options.

If PHP is running as an Apache module (how can I tell?)

Make sure that Drupal's main .htaccess file (the one in Drupal's root folder) includes the line:
php_value register_globals 0

This directive has been there since Drupal 4.2 (June 2003). You may want to add it again at the top of the file in case any customizations made to .htaccess are preventing the existing directive from working properly.

In 7.x you should find the following line in .htaccess
php_flag register_globals 0

This 2nd form is preferred but in practical terms shouldn't make any difference from the first form.

Note that the configuration of some servers restricts what you can do in .htaccess; however, while this directive may not work on the cheapest hosting packages it should work fine on all reasonable quality packages, provided that PHP is running as an Apache module.

If you are using your own server or localhost installation

The best approach would be to change the configuration of register_globals in the main php.ini configuration file. You can find out the location of this file by running phpinfo() (see below).

If the above don't help

If your server is running PHP 4 by default then another option is to try to force Drupal to use PHP 5. This sometimes fixes the problem because register_globals is disabled by default in PHP 5, whereas it was enabled by default in PHP 4.

In Drupal's main .htaccess file, try adding the following line:
AddType x-mapp-php5 .php

If that doesn't help then speak to your host since if they do have PHP 5 available as well as PHP 4 then there will be some way of enabling it, but the details will vary from one host to another.

Finally, note that you can't use ini_get() (e.g. in settings.php) to change the register_globals setting since it can't be modified at runtime.

How can I tell if PHP is running as CGI or as an Apache module?

Create a file named phpinfo.php in Drupal's root folder (the file must be located here to guarantee accurate results), containing the following:


Then visit (where is the full URL of your Drupal installation). Near the top, look for Server API. If PHP is running as CGI then this should report something like "CGI" or "CGI/FastCGI "; if running as an Apache module it should report something like "Apache", "Apache handler" or "Apache 2.0 handler".

When finished you may want to remove the phpinfo.php file to prevent the possibility of revealing information about your server configuration.

More information

For more information about how to change PHP configuration settings, see "How to change configuration settings" in the PHP Manual.

Looking for support? Visit the forums, or join #drupal-support in IRC.


qt-dsa’s picture

to fix this, in ubuntu, you need to find php.ini

this worked for me, if you don't have nano, just install it like this in terminal sudo apt-get install nano

#in terminal
nano /etc/php5/apache2/php.ini

#in terminal search --- > ctrl + w and type this register_globals , when you find it just add ; to turn it off

;register_globals , it should look like this. this means its off

# to exit nano or to save ctrl + o = save file, to save file while excit ctrl + x

#now restart webserver like this

sudo /etc/init.d/apache2 restart

thats it.

thats how it should be not that stupid trash posted above

BrianLewisDesign’s picture

Network Solutions... not awesome for Drupal 7. All files uploaded with FTP get wrong permissions by default. You need a bunch of custom server settings to get Drupal 7 working without 404, 403, forbidden, admin access denied, and clean URLs, memory limit, or session errors. They have wasted a couple days of my time this week. I read that they are slow and oversell shared hosting, but I am still under development, can't confirm that yet.

Drupal 7 settings for network solutions:
php.ini (in the cgi-bin directory above the htdocs web root folder)
Lots of fun server settings here.

register_globals = off;
upload_max_filesize = 20M;
post_max_size = 96M;
memory_limit = 128M;
output_buffering = 2048;
magic_quotes_gpc = 0;
session.auto_start = 0;
mbstring.http_input = pass;
mbstring.http_output = pass;
mbstring.encoding_translation = 0;

.htaccess (in drupal install directory)
Use drupal default .htaccess, and uncomment the RewriteBase including your folder name if it's a subfolder of htdocs.

RewriteBase /myfolder

settings.php (755 the permissions temporarily so FTP works)
Comment out the $cookie_domain, and uncomment the $base_url and put your URL.

$base_url = '';  // NO trailing slash!

Hope this saves some time.