Register Globals

For proper security of your PHP scripts you should always have register globals turned off on your web hosting. This is off by default in the latest versions of PHP (from about 4.3 onwards) and so most people don't need to worry about it. Some people are still running on earlier versions of PHP and haven't turned register globals off or are running a more recent version and have mistakenly turned register globals on because some badly written script they have decided to use wasn't coded correctly to handle having it turned off.

You should make sure that register globals is off on your hosting - check with your web host if you are not sure how to check this for yourself.

The problem comes where you are creating PHP scripts for others to use on their sites where you don't have control of whether they have register globals on or off. You should of course code your script so that it works with register globals off but how do you protect your script so that if someone uses it on a site with register globals on that it doesn't allow people to manipulate the script in destructive ways. After all the site owner will blame your script for the problem rather than blaming their own stupidity in not having register globals turned off.

Provided that the PHP version is 4.1 or later, it is actually possible to add some code to the front of your scripts so that any variables passed into the script that are not passed the correct way will be automatically removed before the rest of your script is run thus having your script at least behave as if register globals was off even though other scripts on their site may still allow it. The code that you need to add to the start of all of your scripts is:

if (@ini_get('register_globals')) {
foreach ($_REQUEST as $var_name => $void) {unset($$var_name);}

With this code in place the passed variables can only be referenced via the $_GET, $_POST, and $_COOKIE arrays.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow