I run a couple of Drupal sites on 1and1 for historical reasons (3 years free). A while ago, I dutifully upgraded them to Drupal 5.7. And was surprised to find that PHP's register_globals was enabled.

All this time, I've been running with a .htaccess file which explicitly disabled that setting -- if 1and1's Apache was running mod_php only, it turns out. Apparently, such PHP settings in .htaccess files don't do anything if running PHP in CGI mode.

Since Drupal 5.7 warns you if register_globals is enabled, it became glaringly obvious that they were. Not a happy situation at all. Drupal is coded intelligently and securely in general, but register_globals is inherently a security risk. It should never be enabled. But worse, in many versions of PHP, there is a bug which allows even more exploits to be used when register_globals is enabled. This bug has been fixed in recent versions of PHP, but hosting companies like 1and1 are notorious for not upgrading their PHP, MySQL, etc. versions.

Fortunately, 1and1 does have a PHP 5 version available. And it's much more secure and defaults to having register_globals disabled:

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the Apache server to use PHP 5. However, you can easily tell the Apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your web site with the following line in it:


AddType x-mapp-php5 .php


This will tell Apache to use PHP 5 instead of PHP 4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.