Using a text editor create a file called php.ini. This will be our first step.

Next, we need to add the following line of code in php.ini
register_globals = off

Upload php.ini file to the root folder where your application resides.

Considerations:

Slight hit to performance takes place when .htaccess directive is set as Apache checks each directory for its existence before any file access in that directory

Next consideration will be with regards how the site owners manage the setting changes and its security which can be misused.

Some of the uses of .htaccess:

i) Applications require .htaccess for it to beautify the URL
ii) Folder or file permission settings can be set using .htaccess
iii) Error documents can be handled through .htaccess
iv) Can be used to allow/disallow bots

Apache advise the usage of httpd.conf file in Apache Server to set the necessary server directive settings and to avoid using .htaccess if it is not necessary.

PHP Global Variables
Environment variables, GET, POST, Server, Cookie variables are knows as Global Variables.

When register_globals directive is turned ON (like what most ISP’s did), you can access/set the global variables like $username, $password instead of $_POST["username"], $_POST["password"].

To turn OFF register global variables, you can add a setting to .htaccess like …
php_flag register_globals off

What is the harm when register_globals is turned ON?

Take the below code for example.

Program: displayuser.php

If register_global is turned ON, you can display the confidential data from the above program by accessing http://www.yoursite.com/displayuser.php?isValidUser=1

So is the case with the other global variables. This is because in PHP we needn’t have to initialize variables in our program before its access.

How to find if register_globals is turned ON/OFF?

Two easy methods …

i) from phpinfo() function which will display a whole load of data on your environment

ii) by declaring a having a form data or session data declared in one page and trying to set the variable ON/OFF in the second page via querystring

REMEMBER: From PHP 6 register global directive will be REMOVED. So do not depend on it in your programs.

Two things to remember for beginners!
i) initialize variables
ii) validate EVERY user input

When we create a domain and would like to have custom error messages for the sites that we build .htaccess file comes in handy.

There may be errors related to site access sucha as 401 – Unauthorized access, 404 – Document Not Found, 500 – Internal Server Error. To handle such error you can create a separate folder called “errors” for the site which will have the files error401.html, error404.html, error500.html each bearing the custom messages that you would like to have it published via the web.

Then, add the following lines of code to .htaccess

ErrorDocument 401 /error401.html
ErrorDocument 404 /error404.html
ErrorDocument 500 /error500.html

Restart the server and we are good to go

user@myhost:~# sudo /etc/init.d/apache2 restart

User authentication in *nix based system involves creating username and password for users to provide them access to directories or files. There are two steps involved in providing user authentication.
1) Creating user name and password file
2) Password protecting directories or files

As the first step, we will create a file called “.mypass” for storing user names and passwords by using the *nix

htpasswd command. Store this file in server root (for e.g. /usrl/local/) and not in web based access folders where public access is given.

We will create a directory called “secured” under /usr/local.

user@myhost:~# cd /usr/local
user@myhost:~# mkdir secured
user@myhost:~# htpasswd -c /usr/local/secured/.mypass username

On running the last command, the user will be prompted to type password for the user “username”. The -c argument is used to create the file “.mypass”. To append to the user list you can type the same command above without -c option. In .mypass file, you will have a combination of user names and encrypted password delimited by “:”.

Ensure that you give read, execute permission settings for the folder “secured” and the file “.mypass”

user@myhost:~# chmod 755 secured
user@myhost:~# chmod 755 secured/.mypass

In order to make .htaccess files work, we need to edit the file /etc/apache2/sites-available/default and go to the line which states “AllowOverride None”. This needs to get changed to “AllowOverride All” to facilitate .htaccess in each folder to override settings given by other directives.

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# Uncomment this directive is you want to see apache2′s
# default start page (in /apache2-default) when you go to /
#RedirectMatch ^/$ /apache2-default/
</Directory>

Once the above changes are done, we need to reload the Apache configuring setting files by issing the following command

user@myhost:~# sudo /etc/init.d/apache2 reload

Next section will cover the .htaccess setting for password protecting files or directories

If you are hosting your application in your local host or on a dedicated server, then it is a matter of editing httpd.conf file within Apache server folder. Ensure that

LoadModule rewrite_module modules/mod_rewrite.so

is NOT commented inside httpd.conf file. In apache, # (pound sign) is used to comment text. So you need to remove the # sign if it appears before the above statement. Then again check if the following line is also not commented.

AddModule mod_rewrite.c

Once that is done, save the file and restart apache server for the changes to take place.

If you were hosting your applications in a web server where you don’t have access to its internal settings, you can test if mod_rewrite is turned on/off by the following ways:

Test 1:
Easiest way to test if mod_rewrite is ON/OFF is to create a php info file

phpinfo();

?>

Under “apache2handler” check for “Loaded Modules” section. There will be a list of loaded modules. Check if mod_rewrite is present in the list.

Test 2:
By creating a file called .htaccess and then by typing the following lines in it

Options +FollowSymLinks
RewriteEngine On

Save the file. If you had created a virtual site “abc”, you need to save .htaccess file inside /abc folder. Then access the site by entering http://domain.com/abc. If mod_rewrite is ON, then you will not get any error in the display else, you will be getting “Server Error – 500″

XAMPP by ApacheFriends or MAMP has a complete installation of the above products which is an ultimate time saver. But, you should prefer installing each software individually in order to get a grip on the subject.

You can download the latest release from http://cakeforge.org/frs/download.php/695/1.2.0.7962.tar.gz

Common things to do to setup cakePHP on localhost:
1) Give appropriate permission settings for ‘tmp’ folder
2) Open /app/config/core.php and go to the line where configuration setting for Security.salt is defined and change it to another 40 character alphanumeric combination.
3) Rename database.php.default file to database.php and define the respective database settings in it.

Now go to http://localhost/cake-installation-directory. This should list down a colored window indicating that the installation was successful. If a forbidden message appears then check if the any port numbers need to be appended to the URL like http://localhost:8085/cake-installation-directory/.

Edit /etc/httpd/conf/httpd.conf by typing in the following content towards the end of file where similar ‘Directory’ related entries exist.

<Directory />
Options Indexes FollowSymLinks
AllowOverride All
</Directory>

You need to restart the apache server after making the above entries by typing from the terminal window /sbin/service httpd restart.

The above entries when added does the following things:
Options Indexes FollowSymLinks
FollowSymLinks – Enables the server to follow symbolic links in this directory.
Indexes – This option shows a formatted directory listing inside the directory if ‘index’ named file is not found

AllowOverride All

The above setting is valid only inside ‘Directory’ attribute. When this is set to All and if there is a .htaccess file in the directive then it will be allowed access. If it is set to ‘None’ then .htaccess settings will be overridden.

Compressing the content of the pages makes the page size small which in turn will have a positive & significant impact on the page loading. There is a misconception that the larger bandwidth availability or lesser file size is what is needed for faster page loading, which is not.

In .htaccess: to gzip output before delivering the content

<ifmodule mod_headers.c>
<ifmodule mod_deflate.c>

# Compress some text file types
AddOutputFilterByType DEFLATE text/html text/css text/xml application/x-javascript

# Deactivate compression for buggy browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

</ifmodule>
</ifmodule>