I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?
Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit. will affect the value of a variable $valid (for example) in something. php, if it exists.
register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET , the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
REGISTER_GLOBALS
means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS
for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.
Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit.
With it enabled, any query string at the end of the URL:
http://yourdomain/something.php?valid=true
will affect the value of a variable $valid (for example) in something.php, if it exists.
If you're using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
Even if you're not using public code, it may be possible to guess the names of important variables, and control their values.
It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI
Recent practice has been to disable it by default. Enable it at your own risk!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With