Please note that register_globals PHP 5.4 already doesn’t exist and it’s not possible to turn it on.
If register_globals are enabled, it means that the data in variables originating from URL address (GET), from submitted form (POST) or cookies (Cookie) appears automatically as global variables in your PHP script.
For example. When you call your script as follows: skript.php?name=John&number=12345 and register_globals are enabled, we have these two values accessible via global variables$name a $number.
echo "Your name: $name" echo "Your number: $number"
Similarly, it works when you sending data via POST method.
Here is a hidden danger – by addition of any parameter in the URL of your script the attacker can get any global variable with any value to your program, resulting in an application that does not count with it, it may cause security failure or malfunction, etc.
Therefore, the use of register_globals in PHP is not recommended and in new versions, this option does not exist at all.
The correct solution
Correctly with the data from POST, GET and COOKIE working by using superglobals $_POST, $_GET a $_COOKIE.
- $_POST is an associative array containing the data from the submitted form
- $_GET s an associative array containing the parameters from URL addresses
- $_COOKIE is an associative array containing the data stored in the browser cookies
The corrected example:
echo "Your name: ".$_GET["name"]."; echo "Your number: ".$_GET["number"];
However, if you absolutely need to use register_globals, ie. Visible input data from POST, GET and COOKIES as global variables in your application, you have 2 options:
- Use function import_request_variables(), which retrieves the data and creates a global variable.
- Turn on register_globals in the customer administration in configuration of PHP
We still do not recommend to enable register_globals! Ask the creator of your PHP application for not using register_globals because it is a dangerous and outdated solutions.