What is register_globals in PHP?

Register_globals directive:

register_globals is an internal PHP parameter that registers the elements of the $_REQUEST as variables. If you pass the value in the form via POST or GET , the value of this input will be automatically available through a variable in the PHP script named in the name of the input field.

In other words, if you submitted a form containing the username text field, the expression ($username === $_POST['username']) at the very beginning of the script will return true .

His fame is due to the fact that he opens up many security holes, especially for people who follow something less than a strict coding style from a security point of view.

Classic example:

 if(user_is_admin($user)) { $authorized = true; } if($authorized) { // let them do anything they want } 

Now, if you visited this script in a web browser, and there was register_globals on the server, you can simply add ?authorized=1 to the URL and divine mode will be turned on!

The global :

global - the keyword has little to do with register_globals.

Here is an example of its use:

 $foo = 'bar'; baz(); function baz() { echo $foo; // PHP warns you about trying to use an uninitialized variable // and nothing is output (because $foo doesn't exist here) } buzz(); function buzz() { global $foo; // Enables the use of $foo in this scope echo $foo; // Prints 'bar' to screen } 

The register_globals parameter controls access to the form, server, and environment. variables.

register_globals = On:

You can access the form attribute without global arrays (GET [], POST [] and REQUEST [])

example: http://www.example.com/one.php?myinput=abc

You can access directly in one.php

 echo $myinput; // abc 

register_globals = Off:

You need to access all attributes only to global arrays.

example: http://www.example.com/one.php?myinput=abc

You need to access one.php

 echo $_GET['myinput']; //abc 

As I understand it, if you enable global registers, everything that is passed to GET or POST is automatically converted to a variable in PHP.

eg:

 http://www.domain.com/vars.php?myvar=123 

without any further coding, this will automatically turn into a variable available for the rest of your php code.

 $myvar //with a value of 123 

With registered global values ​​OFF, data transmitted via GET or POST is NOT automatically converted to a variable, and you need to request it using Superglobals $ _GET, $ _POST and $ _REQUEST, etc.

http://php.net/manual/en/security.globals.php provides additional information on security implications.

Others may respond to me if I am wrong.

change

in relation to your question re global $user_id; , this does not create a "global" in the sense of "register_globals". It just changes the scope of the variable in the PHP code.

For information about the re-scope region, see http://php.net/manual/en/language.variables.scope.php

Global variables in php are variables that are always available. They are also known as superglobals. They are built into variables that are always available regardless of scope.

There are nine superglobal variables in PHP. Some of them are relevant to this discussion.

• $_REQUEST
• $_POST
• $_GET
• $_COOKIE

Now focus on the $_REQUEST . It is used to collect data after the user submits an HTML form using the POST method.

$_POST and $_REQUEST can be used interchangeably. But $_REQUEST also contains $_GET and $_COOKIE along with $_POST , so you are never sure that your data comes from a web form.

Now, as @Tim register_globals points out, this is an internal PHP parameter that registers the elements of the $_REQUEST array as variables. It is also known as flag in your php setup. It is usually specified in the PHP configuration file, which is known as php.ini . This parameter can have two values.

• "on"
• "turned off".

A value of "on" means that PHP will automatically create global variables for many server variables, as well as query string parameters. This is not good and poses a security risk.