Register Globals ( register_globals ) “on” security problem in PHP

Posted on February 7, 2008
Filed Under coding technique, php, tips and technique

Do you know what happend when register_globals is set to ON in php.ini?? When it is set to ON it registers Environment, GET, POST, COOKIE or Server variables as global variables i.e. you don’t need to write $_POST['username'] to access the posted ‘username’ variable you can simply use ‘$username’ to access the $_POST['username'].

So you might think that making register_globals on is easy for us why not to use?? Yes you are right it will make easy for you but the other thing is that might overlaps the varibles i.e. $username might be $_POST['username'] or $_GET['username'] or $_SESSION['username'] or $_COOKIE['username']. And it creates the conflicts between variables and might also create the security problems.

Let’s look at a simple example, Suppose that there is “page1.php” which assign the values in the session variable,

 $_SESSION['user']='roshan';

and in page2.php the following code where somebody relying on the register_globals variable and suppose did like this,

if(!empty($user))
{
   //user authenticated process
}

A malicious user can enter into the authenticated script by adding the user parameter in the get method of “page2.php” in the following.

     page2.php?user=roshan

It will take you inside of the user authenticated process. It’s just a simple example.Sometime this result might be vulnerable in other cases.

As register_globals issue is quite controversial, PHP community has decided to remove this feature of PHP as part of PHP 6.0.0. So if you’re relying on the register_globals in your project it’s time to update your code.

I always recommend PHP using register_globals off in php.ini and in your server.You can check weather it is on or off by using phpinfo() function available in PHP.

Note one thing you can’t use ini_set() function to alter the value of register_globals in runtime. You have to use .htaccess file to alter it’s value.You can write the following line in your .htaccess file to turn the register_globals off.

php_value register_globals off

Popularity: 9% [?]

If you like this post then please subscribe to my full RSS feed . You can also subscribe by email and have new posts sent directly to your inbox.And, You can also follow me on twitter at http://twitter.com/roshanbh.

» Get the IT magazines, journals and white paper at free of cost
» How to solve the problem of retrieving same value by Ajax - Browser Cache Problem
» Upgrade your wordpress - easily and quickly
» A simple Class to export data to excel using PHP

Comments

2 Responses to “Register Globals ( register_globals ) “on” security problem in PHP”

PHP Coding School » Blog Archive » php tips [2008-02-07 19:37:56] on February 7th, 2008 7:41 pm

[...] Register Globals ( register_globals ) “on” security problem in PHP By Roshan Do you know what happend when register_globals is set to ON in php.ini?? When it is set to ON it registers Environment, GET, POST, COOKIE or Server variables as global variables ie you don’t need to write $_POST[’username’] to access … Roshan Bhattarai’s Blog - PHP… - http://roshanbh.com.np [...]
Mohamed Moupasher on March 22nd, 2008 9:24 pm

Thank you Roshan