Apache, PHP, Security | PHP Register Globals and Security Vulnerability

Register Globals directive is turned OFF from PHP version 4.2.

PHP Global Variables
Environment variables, GET, POST, Server, Cookie variables are knows as Global Variables.

When register_globals directive is turned ON (like what most ISP’s did), you can access/set the global variables like $username, $password instead of $_POST[“username”], $_POST[“password”].

To turn OFF register global variables, you can add a setting to .htaccess like …
php_flag register_globals off

What is the harm when register_globals is turned ON?

Take the below code for example.

Program: displayuser.php

If register_global is turned ON, you can display the confidential data from the above program by accessing http://www.yoursite.com/displayuser.php?isValidUser=1

So is the case with the other global variables. This is because in PHP we needn’t have to initialize variables in our program before its access.

How to find if register_globals is turned ON/OFF?

Two easy methods …

i) from phpinfo() function which will display a whole load of data on your environment

ii) by declaring a having a form data or session data declared in one page and trying to set the variable ON/OFF in the second page via querystring

REMEMBER: From PHP 6 register global directive will be REMOVED. So do not depend on it in your programs.

Two things to remember for beginners!
i) initialize variables
ii) validate EVERY user input