What Does PHP Register Globals Do?

The register_globals is a setting that should always be disabled. The method has been deprecated for some time and as of PHP 5.4 it no longer even exists. If you are running an older version of PHP it should be disabled if you are not using it. The big question here is, how can you tell if you are using it? What does register_globals do?

The register_globals is a directive that will make PHP convert all global variables into actual variables. For example, if you have a html form with a field called "firstname", when you click to submit this will become a global variable. You will be able to access this variable using $_POST["firstname"]. IF you have register_globals enabled, PHP will automatically create a variable called $firstname and populate it with the value from the POST. This means you do not need to actually use the global variables since it's already been added to a variable.

This is a pretty messy way to write code, so I don't really see any scenario where anyone will need to use this. It is very simple to work around and its good practice to not use it On the security side of things, it could be possible for someone to inject code into your script by adding code to an input field on a form. PHP will then add this code to a variable and could cause all sorts of chaos.

How To Disable Register Globals

The official documentation for this states the following This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

If you are using PHP 5.4.0 or above, then you can ignore this. Your system does not have the option to even enable this, you can be happy that you are safe. http://php.net/manual/en/security.globals.php

If you are using an older version of PHP you can disable the setting by adding or editing the following line in your php.ini file.

register_globals = Off