What is register_globals and why is it a security risk? November 9, 2010Posted by Tournas Dimitrios in PHP.
register_globals is a setting (sometime known as a flag) in your PHP environment. It is typically set in the PHP configuration file known as php.ini file. This setting can have a value of “on” or “off”. An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
For security reasons, it is recommended to disable register_globals PHP flag on your PHP environment. Many PHP applications such as Joomla, Drupal, and phpBB perform a check for this during its installation and makes the same recommendation.
However, due to the variety of PHP setups and webhost server settings, as well as the multiple ways of disabling this flag, trying to disable this flag can require a bit of trial and error and patience. But the effort is worth it and hopefully this article can provide some resources that will show you the various ways that you can try to disable this flag.
It is better this setting to be set “off”, register_globals = off , so that if PHP code requires specific server variables or query string, the developer needs to explicitly write lines of code to get those information as oppose to it be automatically available as if it was set to “on” vs register_globals = on .
With it enabled, any query string at the end of the URL
http://yourdomainsomething.php?valid=true will affect the value of a variable $valid (for example) in something.php, if it exists.
If you’re using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
Even if you’re not using public code, it may be possible to guess the names of important variables, and control their values.
It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI
Recent practice has been to disable it by default. Enable it at your own risk!
How do I know my register_globals setting
You can put up a temporary PHP page with the phpinfo() function call to display your PHP settings. But make sure to immediately remove that page after viewing.
Setting register_globals in php.ini
Webserver running PHP will have a master php.ini file. Some webhost will not allow you to change this file. But you may be able to create a custom php.ini file that overrides the settings of the master php.ini.
You do this by creating a php.ini in your webroot directory or in your php application directory. Some webhost may require this custom php.ini file to be copied to all sub-directories [reference].
In this custom php.ini file, put in the one line of code …
register_globals = off
Changing register_globals using .htaccess
If you do not want to or can not change your php.ini. You may sometimes be able to adjust the register_globals setting via the .htaccess file as described in the below:
This support thread shows the use of …
php_flag register_globals 0
Another thread shows the use of …
php_flag register_globals off
But this may or may not work and sometimes you get a 500 server error as explained in this thread.
Changing register_globals for certain webhosts
Different webhosts may have different method that works.