Making 1and1 More Secure

I run a couple of Drupal sites on 1and1 for historical reasons (3 years free). A while ago, I dutifully upgraded them to Drupal 5.7. And was surprised to find that PHP's register_globals was enabled.

All this time, I've been running with a .htaccess file which explicitly disabled that setting -- if 1and1's Apache was running mod_php only, it turns out. Apparently, such PHP settings in .htaccess files don't do anything if running PHP in CGI mode.

Since Drupal 5.7 warns you if register_globals is enabled, it became glaringly obvious that they were. Not a happy situation at all. Drupal is coded intelligently and securely in general, but register_globals is inherently a security risk. It should never be enabled. But worse, in many versions of PHP, there is a bug which allows even more exploits to be used when register_globals is enabled. This bug has been fixed in recent versions of PHP, but hosting companies like 1and1 are notorious for not upgrading their PHP, MySQL, etc. versions.

Fortunately, 1and1 does have a PHP 5 version available. And it's much more secure and defaults to having register_globals disabled:

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the Apache server to use PHP 5. However, you can easily tell the Apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your web site with the following line in it:

AddType x-mapp-php5 .php

This will tell Apache to use PHP 5 instead of PHP 4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.


THANK YOU!! You fixed the 1&1 / Drupal register_globals prob

1&1 / Drupal register_globals problem with installation.
I tried all of the other suggestions that I could find, and this was the one that helped for Installing Drupal on 1&1.
to help others experiencing this problem with Drupal/ 1&1, I tried to placing the php.ini file in the root folder with each suggestion that I could find such as:
php_flag register_globals off
etc, etc
It did not work.

For 1&1, the help in this article is the ONLY one that worked.
I wasted almost a whole day trying to figure it out.

This was the initial error message:
register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings. (Currently using PHP register globals Enabled ('1'))


Nice to find a work around!

Thank you, it worked like a charm!

Thanks for your post. I got the same error message trying to install drupal on my 1and1 server but your solution made it really easy to fix. Thanks again!

Thank you!

This worked for my Drupal installation under 1&1 as well.