Why Register Globals are disabled

When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from html forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this.

Traditionally with register_globals enabled, one would simply need to call any variable as such $VariableName. To collect your variable information, PHP has SuperGlobals or SuperGlobal Arrays such as $_POST, $_GET, $_SESSION, and $_COOKIE. Using these, you can collect the same information by calling it’s SuperGlobal Name.

If you have a form, with two fields of Name and Email, and your form method is POST, you would now call your fields as such.


Example Echo:
echo "Thank you {$_POST['Name']}, your email is: {$_POST['Email']}."

If your form was posting using the GET method, you would call your variables as such.


Example Echo:
echo "Thank you {$_GET['Name']}, your email is: {$_GET['Email']}."

Add Feedback