Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have register globals on, but I'm worried about security. I have to keep it on for other reasons so I can't just turn it off. If you go to a url like this: test.php?results[]=1&results[]=2&results[]=3&results[]=4 normally it would override the $results variable when I echo it. But if I assign it a second time, it seems to override the one provided by the url. Is there any way that the variable from the URL can be passed so that it would still be used after the second assign? I know there's other ways to do this, but I'm interested in the way that this works.
It sounds to me like you don't understand what is dangerous about register_globals. It is because you allow a user to define the value of an uninitialized variable.
Your question seems to indicate that you want to use the same variable name for several things but not have the values overwritten. This isn't possible.
The other issue stems from your apparent understanding of the security hole that register_globals makes, but you want to have your cake and eat it too. Whether or not there is a perceived security risk doesn't mean someone can't find one.
Then it doesn't effect it, there is no APPARENT security problem. I was asking if that works or is there some way around what I"ve come up with.
If you do that you are right. But people forget. One of the principles of security is called "defence in depth" this is where you take multiple measure to ensure something is secure in case one of them fails.
If possible, turn register_globals off. You can do it a few ways including .htaccess (with mod_php but NOT if PHP is running in CGI mode). There's also ini_set(). The last is more portable.
If the application requires register_globals to be enabled then check for an updated version, or maybe see if there's an alternative application for what you want, or just patch the application (if you wrote it) so register_globals is not required.
At the end of the day, it's a security risk. Applications which require register_globals to operate carry an inherently higher security risk than those which manually disable register_globals despite the local settings in php.ini.