What are register_globals in PHP?

Question

Can someone give some examples of what register_globals are?
And is global $user_id; considered a register global?

Answer 1

The register_globals directive:

register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.

In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.

Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.

Classic example:

if(user_is_admin($user))
{
    $authorized = true;
}

if($authorized)
{
    // let them do anything they want
}

Now, if you visited that script in a web browser and the server had register_globals on, you could simply append ?authorized=1 to the URL and god-mode would be enabled!

The global keyword:

global is a keyword has little to do with register_globals.

Here is an example of its use:

$foo = 'bar';

baz();

function baz()
{
    echo $foo; // PHP warns you about trying to use an uninitialized variable
               // and nothing is output (because $foo doesn't exist here)
}

buzz();

function buzz()
{
    global $foo; // Enables the use of $foo in this scope

    echo $foo; // Prints 'bar' to screen
}

Answer 2

Everyone mentioning GET, POST, REQUEST, COOKIE has effect on register_globals=on.

I'm just writing this to let you know that -

$_SESSION will be affected aswell because of register_globals=on. http://php.net/manual/en/security.globals.php

That means - if you do as following -

$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];

The output will be asd.

And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.

Answer 3

When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.

I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.

When you do global $somevar - you are making your own global variable, which usually is not a big issue.