Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is REGISTER_GLOBALS so bad?

Tags:

php

register-globals

I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?

like image 277
RCIX Avatar asked Sep 13 '09 10:09

RCIX

People also ask

What is Register_globals and why is it a bad idea?

Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit. will affect the value of a variable $valid (for example) in something. php, if it exists.

What is Register_globals?

register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET , the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.

2 Answers

REGISTER_GLOBALS means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:

<?php
// $debug = true;
if ($debug) {
    echo "query: $query\n";
}

It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.

like image 154
soulmerge Avatar answered Sep 19 '22 12:09

soulmerge

Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit.

With it enabled, any query string at the end of the URL:

http://yourdomain/something.php?valid=true

will affect the value of a variable $valid (for example) in something.php, if it exists.

If you're using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.

Even if you're not using public code, it may be possible to guess the names of important variables, and control their values.

It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI

Recent practice has been to disable it by default. Enable it at your own risk!

like image 40
pavium Avatar answered Sep 23 '22 12:09

pavium
Sign in to Comment

Related questions

accessing static methods using a variable class name (PHP)
Eclipse syntax highlighting: trying to specify it for a new file extension, and it's not working
How to run the PHP code asynchronous
Which is better in PHP, Static Variable or Private Variable?
How to display php errors in a more readable format
How to subtract microtime and display date with milliseconds in php?
Is there a simple way to get the language code from a country code in PHP
Set urgent option in phpmailer
PHP: version_compare() returns -1 when comparing 5.2 and 5.2.0?
error WriteBlob Failed using ImageMagick 6.7.9
Importing JSON into Mysql
Routes not working without index.php
PHP - Best approach to detect CSV delimiter
How can I use my own external class in CakePHP 3.0?
PHP: How to prevent multiple execution of a code (if it is already in process)
Laravel Eloquent, select only rows where the relation exists
how to get full description of youtube video using youtube api v3
Change TimeZone dynamically in laravel
CakePHP View including other views
How to debug PHP with netbeans and Xdebug

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!