Register globals

When enabled,  automatically injects PHP scripts with various global variables, usually from HTML forms.

A secure alternative to
In DreamHost's installation of PHP 5, the  directive is disabled (which is actually the default condition); therefore, scripts relying on global variables that are automatically created during the submission of a form will not work as expected. Use the following superglobal array variables to access form (and other) data:



Example
Consider the following HTML form:   When  is enabled, PHP can access the value of the "var" control like this:  With  disabled, the   superglobal array variable must be used instead: 

A non-secure alternative to
In your php scripts you can use the import_request_variables function to import POST/GET/Cookie variables into the global namespace. Useful to get something to work immediately while  is off and you work to re-code it.

PHP6
In PHP 6, the  directive will not exist at all. Global variables will not be automatically registered.

Reasons for disabling
When enabled,  can make it easy to inject scripts with all sorts of variables, like variables coming from GET or POST methods, and from sessions and cookies. It is possible to exploit the fact that PHP doesn't require initialization of variables, for example.

Exploit example
Consider what would happen if you had a script that looked like this:  On first inspection, the script appears fairly secure; however, a bad array initialization occurs when  is enabled. Suppose you requested the page with. The following sequence would occur:


 * is set to
 * sets the first char of  to
 * sets the first char of  to
 * tests if
 * tests if

To get administrator access, you request  - you only need to know the first character of the password. Even if you don't know it, there are relatively few possibilities.