PHP REGISTER_GLOBALS turned off? Hack It Back
Last Updated on: September 15, 2022
REGISTER_GLOBALS is a PHP directive that, when enabled, automatically initialises variables with the values from forms, sessions, GET etc.
For example, the data in a login form with the input fields named “username” and “password” will automatically be available as $username and $password.
REGISTER_GLOBALS is, in my opinion, very bad practice and should be avoided – but that is a separate debate.
If you are moving a web application or PHP is upgraded/changed, and you have no control over the configuration of REGISTER_GLOBALS, the following hack will help:
foreach ($_GET as $key => $item) {
$$key = $item;
}
This will loop through each GET value and assign it to a local variable. You can use this same logic for $_POST, $_SESSION etc., by replacing $_GET in the foreach loop.
This code is intended for applications that need a temporary solution, are in a closed environment or are in testing.
I do not recommend using REGISTER_GLOBALS or this hack in a public application.
NOTE: Before PHP 4.2.0, REGISTER_GLOBALS was set to ON by default. Most hosts will now have REGISTER_GLOBALS disabled.
Get notified of new posts:
Hi,
naming vars like this is a great and easy way to bypass the directive.
But these kind of fixes have the result that people doesn’t program for modern web server (PHP5).
You are right that it is not good practice going forward – it should only be used as a temporary solution.