Why Was register_globals Disabled in PHP?

Registering Globals in PHP

Introduction

In PHP, register_globals was an internal setting that automatically registered variables from the $_REQUEST superglobal array. However, it was disabled by default due to security concerns.

Examples of Register Globals

When register_globals was enabled, input field values from POST or GET requests could be directly accessed as variables with the same name as the input field. For example:

<form method="post">
  <input type="text" name="username">
  <input type="submit">
</form>

With register_globals enabled, the following PHP code would evaluate to true at the beginning of the script:

$username === $_POST['username'];

Security Vulnerabilities

Register_globals introduced serious security vulnerabilities. For instance, an attacker could append a query string parameter to a URL, such as "?authorized=1", to bypass authorization checks.

Global Keyword

Unlike register_globals, the global keyword has a different purpose. It is used to access variables from a different scope within a function. For example:

$foo = 'bar';

function baz() {
  // Attempting to use $foo here will trigger a warning
  echo $foo;
}

function buzz() {
  global $foo;  // Declares that $foo is a global variable
  echo $foo;    // Prints 'bar'
}

Conclusion

While register_globals is no longer used due to its security risks, the global keyword remains a useful tool for accessing variables in different scopes.

The above is the detailed content of Why Was register_globals Disabled in PHP?. For more information, please follow other related articles on the PHP Chinese website!