What is register_globals and why is it a security risk?

register_globals is a setting (sometime known as a flag) in your PHP environment. It is typically set in the PHP configuration file known as php.ini file. This setting can have a value of “on” or “off”. An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.

For security reasons, it is recommended to disable register_globals PHP flag on your PHP environment. Many PHP applications such as Joomla, Drupal, and phpBB perform a check for this during its installation and makes the same recommendation.

However, due to the variety of PHP setups and webhost server settings, as well as the multiple ways of disabling this flag, trying to disable this flag can require a bit of trial and error and patience. But the effort is worth it and hopefully this article can provide some resources that will show you the various ways that you can try to disable this flag.

It is better this setting   to be set “off”, register_globals = off , so that if PHP code requires specific server variables or query string, the developer needs to explicitly write lines of code to get those information as oppose to it be automatically available as if it was set to “on” vs register_globals = on .

With it enabled, any query string at the end of the URL http://yourdomainsomething.php?valid=true will affect the value of a variable $valid (for example) in something.php, if it exists.

If you’re using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.

Even if you’re not using public code, it may be possible to guess the names of important variables, and control their values.

It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI

Recent practice has been to disable it by default. Enable it at your own risk!

More information found on Wikibooks.org and PHP Manual.

How do I know my register_globals setting

You can put up a temporary PHP page with the phpinfo() function call to display your PHP settings. But make sure to immediately remove that page after viewing.

Setting register_globals in php.ini

Webserver running PHP will have a master php.ini file. Some webhost will not allow you to change this file. But you may be able to create a custom php.ini file that overrides the settings of the master php.ini.

You do this by creating a php.ini in your webroot directory or in your php application directory. Some webhost may require this custom php.ini file to be copied to all sub-directories [reference].

In this custom php.ini file, put in the one line of code …

register_globals = off

To learn more about php.ini, see …
Using a php.ini file
PHP Manual

Changing register_globals using .htaccess

If you do not want to or can not change your php.ini. You may sometimes be able to adjust the register_globals setting via the .htaccess file as described in the below:

This support thread shows the use of …

php_flag register_globals 0

Another thread shows the use of …

php_flag register_globals off

But this may or may not work and sometimes you get a 500 server error as explained in this thread.

Changing register_globals for certain webhosts

Different webhosts may have different method that works.

Changing register_globals for GoDaddy
Changing register_globals for Dreamhost
See item 7 of BlueHost support about tweaking php.ini

Changin register_globals for certain application

Here is some ways to try to adjust register_globals setting for phpBB, Joomla, and Drupal.