Register globals

From DreamHost
Jump to: navigation, search


When enabled, register_globals automatically injects PHP scripts with various global variables, usually from HTML forms.

Dh-kb-important-icon.fw.png Important:

Please note, this feature has been Deprecated as of PHP 5.3 and removed as of PHP 5.4. View the link below for details:

Important icon.png Important: It's highly recommended that you upgrade to the latest version of PHP as DreamHost will officially EOL PHP versions 5.3 and 5.4 on all hosting plans on January 26, 2016. Please visit the following pages to view information on how to update to the latest PHP version:

A secure alternative to register_globals

In DreamHost's installation of PHP 5.3, the register_globals directive is disabled (which is actually the default condition); therefore, scripts relying on global variables that are automatically created during the submission of a form do not work as expected. Use the following superglobal array variables to access form (and other) data:

  • $_COOKIE
  • $_GET
  • $_FILES
  • $_POST
  • $_SERVER


Consider the following HTML form:

<form method="post" action="script.php">
  <input type="text" name="var">
  <input type="submit">

When register_globals is enabled, PHP can access the value of the "var" control like this:

echo "The value of the "var" control is $var";

With register_globals disabled, the $_POST superglobal array variable must be used instead:

echo "The value of the "var" control is ".$_POST['var'];

A non-secure alternative to register_globals

In your PHP scripts you can use the import_request_variables() function to import POST/GET/Cookie variables into the global namespace. Useful to get something to work immediately while register_globals is off and you work to re-code it.


In PHP 6, the register_globals directive will not exist at all. Global variables will not be automatically registered.

Reasons for disabling

When enabled, register_globals can make it easy to inject scripts with all sorts of variables, like variables coming from GET or POST methods, and from sessions and cookies. It is possible to exploit the fact that PHP doesn't require initialization of variables, for example.

Exploit example

Consider what would happen if you had a script that looked like this:

$admin['user'] = 'foo';
$admin['pass'] = 'bar';
if($admin['user'] == $_GET['username'] AND $admin['pass'] == $_GET['password']) {
  /* Give administrator access */

On first inspection, the script appears fairly secure; however, a bad array initialization occurs when register_globals is enabled. Suppose you requested the page with page.php?admin=asdf. The following sequence would occur:

  • $admin is set to 'asdf'
  • $admin['user'] = 'foo'; sets the first char of 'asdf' to 'f'
  • $admin['pass'] = 'bar'; sets the first char of 'fsdf' to 'b'
  • $admin['user'] == $_GET['username'] tests if 'b' == $_GET['username']
  • $admin['pass'] == $_GET['password'] tests if 'b' == $_GET['password']

To get administrator access, you request page.php?admin=asdf&username=b&password=b - you only need to know the first character of the password. Even if you don't know it, there are relatively few possibilities.

See also