Register Globals directive is turned OFF from PHP version 4.2.
PHP Global Variables
Environment variables, GET, POST, Server, Cookie variables are knows as Global Variables.
When register_globals directive is turned ON (like what most ISP’s did), you can access/set the global variables like $username, $password instead of $_POST["username"], $_POST["password"].
To turn OFF register global variables, you can add a setting to .htaccess like …
php_flag register_globals off
What is the harm when register_globals is turned ON?
Take the below code for example.
Program: displayuser.php
If register_global is turned ON, you can display the confidential data from the above program by accessing http://www.yoursite.com/displayuser.php?isValidUser=1
So is the case with the other global variables. This is because in PHP we needn’t have to initialize variables in our program before its access.
How to find if register_globals is turned ON/OFF?
Two easy methods …
i) from phpinfo() function which will display a whole load of data on your environment
ii) by declaring a having a form data or session data declared in one page and trying to set the variable ON/OFF in the second page via querystring
REMEMBER: From PHP 6 register global directive will be REMOVED. So do not depend on it in your programs.
Two things to remember for beginners!
i) initialize variables
ii) validate EVERY user input
Tags: .htaccess, global variables, regis, register globals, register_globals, security vulnerability
[...] Read more [...]