PHP REGISTER_GLOBALS turned off? Hack It Back

Last Updated on: September 15, 2022

REGISTER_GLOBALS is a PHP directive that, when enabled, automatically initialises variables with the values from forms, sessions, GET etc.

For example, the data in a login form with the input fields named “username” and “password” will automatically be available as $username and $password.

REGISTER_GLOBALS is, in my opinion, very bad practice and should be avoided – but that is a separate debate.

If you are moving a web application or PHP is upgraded/changed, and you have no control over the configuration of REGISTER_GLOBALS, the following hack will help:

foreach ($_GET as $key => $item) {
$$key = $item;
}

This will loop through each GET value and assign it to a local variable. You can use this same logic for $_POST, $_SESSION etc., by replacing $_GET in the foreach loop.

This code is intended for applications that need a temporary solution, are in a closed environment or are in testing.

I do not recommend using REGISTER_GLOBALS or this hack in a public application.

NOTE: Before PHP 4.2.0, REGISTER_GLOBALS was set to ON by default. Most hosts will now have REGISTER_GLOBALS disabled.


Get notified of new posts:


Similar Posts

2 Comments

  1. Hi,

    naming vars like this is a great and easy way to bypass the directive.

    But these kind of fixes have the result that people doesn’t program for modern web server (PHP5).

Leave a Reply

Your email address will not be published. Required fields are marked *