register_globals

[unidox]

I am kinda confused. I dont know what it is used for. I looked on php.net, but I am still kinda confused. Whats the difference when its on and off, how does it effect the scipt. Thanks

[DarkWater]

Register_globals is completely gone in PHP6, by the way.

It's probably one of the worst things ever designed for PHP.  Not gonna lie.

 

Here's what it does:

Let's say you had a form field called "name", and you sent it through POST.  Now, you know that it would be in $_POST['name'].

With register_globals, $name is INSTANTLY equal to that when you start the script.  I guess they thought it would make life easier.  Here's the issue:  GET has a higher priority over POST when it comes to register_globals (at least, I think. I think it's GPC, like magicquotes)  So, they could send in your form, but they could also change the action URL and add let's say...$password to the GET string, i.e:

yourdomain.com/process.php?password=A_PASSWORD

 

Now, $password has that value set in the script by default.  It basically made your script insanely insecure.

[.josh]

Very scary.  Turn them off.  Never use them.  The end.

[DarkWater]

Very scary.  Turn them off.  Never use them.  The end.

 

Win.

 

[unidox]

Thanks guys, I have never used it while on. Just wanted to know what it was for. Pretty useless.