php ini register_globals

You may want to turn this off if you don't want to clutter your scripts' global scope with user data. This makes most sense when coupled with track_vars - in which case you can access all of the GPC variables through the $HTTP_*_VARS[], variables.

You should do your best to write your scripts so that they do not require register_globals to be on; Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of.

register_globals = Off

All external variables were automatically registered in the global scope. That is, any incoming variable of the types COOKIE, ENVIRONMENT, GET, POST, and SERVER were made available globally. Because they were available globally, they were also globally modifiable. Although this might seem convenient to some people, it also introduced a security deficiency because variables intended to be managed solely by using a cookie could also potentially be modified via the URL.

For example, suppose that a session identifier uniquely identifying the user is communicated across pages via a cookie. Nobody but that user should see the data that is ultimately mapped to the user identified by that session identifier. A user could open the cookie, copy the session identifier, and paste it onto the end of the URL, like this:

The user could then e-mail this link to some other user. If there are no other security restrictions in place (e.g., IP identification), this second user will be able to see the otherwise confidential data.

Disabling the register_globals directive prevents such behavior from occurring. While these external variables remain in the global scope, each must be referred to in conjunction with its type. For example, the sessionid variable in the previous example would instead be referred to solely as the following:


Any attempt to modify this parameter using any other means (e.g., GET or POST) causes a new variable in the global scope of that means ($_GET['sessionid'] or $_POST['sessionid']).

Although disabling register_globals is unequivocally a good idea, it isn't the only factor you should keep in mind when you secure an application.