PHP: register_globals, demystified completely

register_globals is a configuration setting in the php.ini file. Before we go in some details about register_globals, it is important to make some of our newbies introduced to php.ini file because they might be amused or confused by the format of the name and especially the extension, ‘ini’. The php.ini file is read when the php gets started; here the extension name ‘ini’ stands for the initialization. A web server, by default, has defined some configuration settings for the PHP. But in actual production environment, many of these predefined settings in web server may not be conducive to the actual requirement for a PHP application. So by using php.ini file you can define your own configuration settings and thus provide a wonderful custom environment for your PHP applications to run and thrive. An example of this configuration setting is register_globals, this configuration setting has two values, ‘on’ and ‘off’.

The value of register_globals being set to ‘off’ or ‘on’ makes a whole lot of difference how a PHP file is going to receive values from other files and how secured that data transfer is going to be. When register_globals is set to ‘on’ then your application becomes susceptible to receiving any kind of value from outside.
For example look at this example url,, when register_globals is set to ‘on’ then in that case, in the test.php script, value of this parameter id can be easily accessed through the variable $id and an output corresponding to this $id value will be displayed. In this case, it will be very easy for any user to set any value for the id parameter in the url and test.php will easily grab that parameter value, process it and display a result. This result or output could be a sensitive information not meant for every user.

In order to protect your PHP script from being intruded by malicious users who can exploit this loophole in the url, it is always wise to turn the value of the register_globals to ‘off’ if it was ‘on’, though let me tell you the good news that since version 4.2 of the PHP, value of register_globals had been set to ‘off’ by default. Now the value of the supplied parameter through the above mentioned url can not be caught by simply printing the value of the corresponding variable, say $id in the test.php script. In case of register_globals being off, if you try to access the value of the supplied parameter id through the variable $id, you will get an empty value.

If you want to access the value of the supplied parameter when register_globals is ‘off’, PHP server variables are used. The syntax of the PHP server variable is as follows,

$_GET[‘variable_name’]: This variable is used to access the value of the supplied parameter, when GET method is used.

$_POST[‘variable_name’]: This variable is used to access the value of the supplied parameter, when POST method is used.

Example: in case of this example url ,, value of id in test.php script can be accessed through $_GET[‘id’] server variable,

  $id_value= $_GET[‘id’];
   echo “value of the supplied variable id is ”. $id_value;

Image source:


Author: ucavik