getButterfly Logo getButterfly

I told you earlier about the PHP5 upgrade. I will go deeper into the register_globals feature and some issues about it.

The register_globals feature is off by default in PHP5 and deprecated and removed in PHP6. Relying on this feature is highly discouraged.

The most controversial change in PHP was when the default value for the PHP feature register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn’t even know it existed and assumed it’s just how PHP works. This feature caused me a lot of trouble when migrating to PHP5, as I had to discover why my variables didn’t pass from one page to another anymore. When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.

Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up error_reporting() to show E_NOTICE level errors. I really have to do this with my scripts.

Consider the following HTML form:

<form method="post" action="action.php">
<input type="text" name="user">
<input type="submit">

When register_globals is enabled, PHP can access the value of the “var” control like this:

echo "The value of the "user" field is $user";

With register_globals disabled, the $_POST superglobal array variable must be used instead:

echo "The value of the "user" field is ".$_POST['user'];

Quick Tip: Use $_POST['user'] instead of $_POST["user"]

Use the following sequence to capture variables from a previously posted form:

$variable1 = $_POST['variable1'];
$variable2 = $_POST['variable2'];
$variable3 = $_POST['variable3'];

Replace $_POST with $_GET depending on the form action.

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

One thought on “PHP register_globals

  1. Setting the defaulting for register_globals to off was such a wonderful change for PHP5. It’s very easy for your code to get confused or people to inject bad variables into your page with register_globals on. I don’t miss it.

Leave a Reply

Your email address will not be published. Required fields are marked *