Register Globals ( register_globals ) “on” security problem in PHP

Do you know what happend when register_globals is set to ON in php.ini?? When it is set to ON it registers Environment, GET, POST, COOKIE or Server variables as global variables i.e. you don’t need to write $_POST[‘username’] to access the posted ‘username’ variable you can simply use ‘$username’ to access the $_POST[‘username’].

So you might think that making register_globals on is easy for us why not to use?? Yes you are right it will make easy for you but the other thing is that might overlaps the varibles i.e. $username might be $_POST[‘username’] or $_GET[‘username’] or $_SESSION[‘username’] or $_COOKIE[‘username’]. And it creates the conflicts between variables and might also create the security problems.

Let’s look at a simple example, Suppose that there is “page1.php” which assign the values in the session variable,

 $_SESSION['user']='roshan';  

and in page2.php the following code where somebody relying on the register_globals variable and suppose did like this,

if(!empty($user)) 
{ 
   //user authenticated process 
} 

A malicious user can enter into the authenticated script by adding the user parameter in the get method of “page2.php” in the following.

     page2.php?user=roshan

It will take you inside of the user authenticated process. It’s just a  simple example.Sometime this result might be vulnerable in other cases.

As register_globals issue is quite controversial, PHP community has decided to remove this feature of PHP as part of PHP 6.0.0. So if you’re relying on the register_globals in your project it’s time to update your code.

I always recommend PHP using register_globals off in php.ini and in your server.You can check weather it is on or off by using phpinfo() function available in PHP.

Note one thing you can’t use  ini_set() function to alter the value of register_globals in runtime. You have to use .htaccess file to alter it’s value.You can write the following line in your .htaccess file to turn the register_globals off.

php_value register_globals off

4 thoughts on “Register Globals ( register_globals ) “on” security problem in PHP

  1. Mohamed Moupasher

    Thank you Roshan :)

  2. Great information, thanks for sharing 😉

  3. tania

    it cleared my doubt in register_globals…..simple….good one

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>