#14: Turning Off Registered Global Variables
PHP has a legacy misfeature that makes it slightly easier to access GET and POST parameters. For example, if there is a POST parameter named myparm
, PHP can automatically extract it and put it in a variable named $myparm
. Unfortunately, this is a tremendous security risk, because you can set any global variable this way, and if you forget to initialize a variable, the user could manipulate vulnerable parts of your script.
You can disable this feature by turning the register_globals
variable to Off
in your server's php.ini file :
register_globals = Off
Fortunately, this feature is turned off on PHP versions 4.2 or higher. However, it's such a problem that you should always double-check.
Get Wicked Cool PHP now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.