Peter’s Blog

On my travels I come across many people who are blissfully unaware of register globals and if they are aware of it, they misunderstand what it does.

Some people seem to believe that using the $_POST, $_GET… global arrays that they have protected themselves from the effects of register globals.

They couldn’t be further from the truth.

What Is Register Globals?

Register globals is a directive (or a group of directives to be more precise) which determines how information passed to a script an be accessed. If magic quotes is enabled for example and you pass a form field called ‘name’ to it using the POST method then the data is not only available in $_POST['name'] but also in $name.

Why Is This Bad?

This is bad for a number of reasons. Firstly you should always be aware where the data is coming from. Register Globals stops this from happening. In my instance $name could quite easily have came from a cookie of a form GET method.

The second reason is the cause for this article.

Consider the following piece of code

<?php
if ($is_admin == true)
{
echo ‘I am an admin’;
}
else
{
echo ‘I am not an admin’;
}
?>

This is nothing out of the ordinary. I am simply checking whether $is_admin is true. I would expect maybe a previous routine to set this if I am an admin. With register globals disabled this would work as expected with no quarrels. But what if I now call this script like the following :-

http://www.domain.com/script_name.php?is_admin=1

If global variables are enabled we have a problem. The $is_admin variable now contains 1 (which if you know PHP you will realise evaluates to true as PHP is a loosely typecast language).

So What Can Be Done About This?

This is quite simple, if you have the possibility of the server running the script having register globals enabled (or do not have control over the configuration) then you should guard against this.

The easiest way to guard against this is to ensure that you always declare important variables before you use them. So in my previous example you could do:-

<?php
$is_admin = false;
// Now check if I am an admin.
if ($is_admin == true)
{
echo ‘I am an admin’;
}
else
{
echo ‘I am not an admin’;
}
?>

As register globals carries out its process before our script starts running our variable will over write the variable the user tried to set.

But Isn’t Register Globals Disabled In PHP 5?

The default installation of PHP 5 does indeed have register globals disabled. Unfortunately however there is a need for many hosts to actually enable it as too many scripts wrongly rely on it. PHP 6 goes 1 step further than having register globals disabled in a default installation. In PHP 6 the directive is removed completely.

A Word Of Caution

1 word of caution. The PHP manual states that register globals can be set (and I quote) PHP_INI_ALL. This indicates that you can set the directive anywhere including within a script using the ini_set() function. Although technically correct you can indeed set the directive in a script, it will not have any effect what so ever. The work register globals carried out is actually already carried out before the directive would have been changed.

If you are going to change the directive do so in a .htaccess file (if you can) or in the php.ini file (the same goes for magic quotes).

Hopefully this has been helpful to you. I am hoping that it will have cleared up any misunderstanding on what register globals is and what it does.

If you have any questions please feel free to ask and I will do my best to answer them.

Tags: get, post, register globals, regquest, security, server, session

This entry was posted on Wednesday, January 16th, 2008 at 4:19 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.