What is register_globals in PHP and how it affect website security?

PHP is a loosely typed language, i.e. you have to write less and can do/code whatever you want (structured programming) 🙂
PHP is used for quick web development, It’s library is very rich.


We can’t say that it is a good point or poor one, that PHP doesn’t required initialization of variables,but it is a bad habit.Let me explain what problem or issues happen if the user not initialize the variables?


In you php.ini file ,you can see the php settings and library installed and default values set in the flags.
You can view all these by inbuilt php function.

[php]<?php echo phpinfo(); ?>[/php]


Now find register_globals,Check weather it’s value is set off or on.
By default in php >=4.2 It is set off, after a great discussion by the community it is decided to set it off by default.
What was the reason behind it ,let me explain.


If register_globals is on and you have initialized a variable suppose $var ,then on other page,if you use the same named variable ($var or $_SESSION[‘var’] or $_GET[‘var’] or $_POST[‘var’]) and haven’t initialized the variable then that variable automatically take value from $var from other page(implicitly).


Basically we have $GLOBALS, $_SESSION, $_GET, $_POST, $_COOKIE, $_REQUEST, $_SERVER, $_FILES, $_ENV variables in php.


If register_globals is on then it will inject your scripts with all sorts of variables, like request/post variables from HTML forms. PHP doesn’t require variable initialization means writing insecure code is much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don’t know or sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this.


if register global=off,reduces the chance of malicious users “leaking in” variables that have horrible content. Now you have to explicitly import these variables with $_GET, $_POST, or $_REQUEST, which cuts the chances that you’ve forgotten to give valid default values before importing the actual value (if any) with $_REQUEST etc. Of course, you still should validate a variable’s data before making use of it, to prevent injection attacks.It doesn’t matter how a variable used in your code arrived (explicitly via $_REQUEST, or implicitly via register global variables) if it contains bad content.


How can you set register_globals = off in your php.

1) Edit php.ini file and find register_globals

update that with  register_globals = off


2) Or you can do this by .htaccess file as well using the line below

php_flag register_globals off


2 thoughts on “What is register_globals in PHP and how it affect website security?”

  1. That .htaccess.txt code

    php_flag register_globals off

    helps me alot………..thanks scriptarticle.

  2. The above will work only if your apache configuration allows to override .htaccess settings.

Comments are closed.