register globals

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search


register globals is an option in PHP. When turned on, it is also a security hole.


When PHP was first written, its method of passing environment data (such as data from forms, cookies, etc.) was to create a global variable corresponding to every environment variable.

It was later realized that this was a potential security risk, as it allowed URL queries to be constructed to overwrite pre-existing variables in the PHP code; PHP programs had to be written carefully in order to prevent any possibility of this happening.

Later versions of PHP introduced the use of several arrays where the various environment variables were stored – $_GET for URL query variables, $_POST for form-posted variables, $_SERVER for server information, etc. The old method was still enabled by default, but could be deactivated via the register_globals option (settable in php.ini or via .htaccess files).

In PHP 4.2.0, register_globals was turned off by default, but could still be turned back on.