Question: Isn't it a security risk to have register_globals=on?

Answer: Having register_globals=on is not a security problem per se, but it requires more care when writing code.

When register_globals=on, you can overwrite variables in PHP scripts by appending them to the URL, e.g. somescript.php?myvar=42 would define a variable myvar with the value of 42. Depending on how your script works, this could be used to do bad things. An example can be found in the PHP 4.1.0 release notes.

However, that example is also an example of bad code and a simple cure for the problem of overwriting variables is to set them to a default value at the beginning of the script (which will in turn overwrite the value injected via the URL).

Generally speaking, you can write secure scripts with register_globals=on and you can write insecure scripts with it being off. That setting on its own does not make a script secure or insecure.

Hits: 180

FAQ » General » Isn't it a security risk to have register_globals=on?