Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

register_globals

Test Description

This test determines if the register_globals setting is enabled.

Security Implications

When register_globals is enabled, PHP will automatically create variables in the global scope for any value passed in GET, POST or COOKIE. This, combined with the use of variables without initialization, has lead to numerous security vulnerabilities. Since application developers should be aware when accessing tainted user input, it is better practice to access the variables through their respective super globals.

register_globals will not be available in PHP 6.

Recommendations

register_globals should always be disabled.

You can disable it in the php.ini file:

; Disable register_globals for security reasons
register_globals = 'off'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable register_globals for security reasons
php_flag  register_globals  off

More Information

« Test information index

Get PhpSecInfo