Page 1 of 1

whats wrong with globals on?

Posted: Tue May 13, 2003 1:23 pm
by Dark_Raider
I've read that it's a big security issue to have register_globals on. I've also read that it doesn't matter. Does anybody really know why it should or should not be on?

Posted: Tue May 13, 2003 1:58 pm
by twigletmac
The major problem with having register_globals on is that it's deprecated - i.e. it will not be available as an option in all future releases of PHP. Coding with register_globals off does not make a script inherently secure, neither does coding with it on make all scripts insecure.

Learning how to work with $_POST, $_GET, $_COOKIE et. al. will mean that your scripts will be future proof for some time and it will be obvious to you (and others) where variables are coming from. $id means nothing, $_POST['id'] means a variable coming from an HTTP POST action. You can also make it difficult for people to pass variables through the query string in the URL in order to overwrite other global variables by specifically indicating where the information should come from. However, there are still ways in which you can mimic the effect of register_globals (even with it off) and negate all the benefits of it being off. If you haven't already you should take a look at:
viewtopic.php?t=511

For the official story:
http://www.php.net/manual/en/tutorial.oldcode.php
http://www.php.net/manual/en/configurat ... er-globals
http://www.php.net/manual/en/security.r ... lobals.php

Mac