Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

register_globals

Test Description

This test determines if the register_globals setting is enabled.

Security Implications

When register_globals is enabled, PHP will automatically create variables in the global scope for any value passed in GET, POST or COOKIE. This, combined with the use of variables without initialization, has lead to numerous security vulnerabilities. Since application developers should be aware when accessing tainted user input, it is better practice to access the variables through their respective super globals.

register_globals will not be available in PHP 6.

Recommendations

register_globals should always be disabled.

You can disable it in the php.ini file:

; Disable register_globals for security reasons
register_globals = 'off'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable register_globals for security reasons
php_flag  register_globals  off

More Information

PHP.net manual: register_globals

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot