Security, php.ini, register_globals and register_long_arrays

Any discussion on the subject of super globals would be utterly incomplete if no mention was made about older versions of PHP and the php.ini settings register_globals and register_long_arrays. Thus, I will write briefly on these two subjects.

register_globals

As of PHP 5 the php.ini setting "register_globals" has a default setting of "off."
It looks like this in the php.ini file

register_globals = off;

When this setting is set to "on," all variables in a php script can be accessed without having to use super global arrays. This basically means that it does not matter how you send your variables. If you send variable -- first_name -- to script "b.php" using method POST, you will not have to use the familiar $_POST['first_name'] to get at the value you assigned to it. All you will have to do is type your variable -- $first_name. Although, at first, this seems like the easier and more logical choice since it obviously requires the coder to type less code, this practice was abandoned due to serious security risks. Quoting from the php.ini file "You should do your best to write your scripts so that they do not require register_globals to be on. Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of." The full implications of that statement is beyond the scope of this web page. Suffice it to say, writing code with register_globals on is usually not a good idea.

register_long_arrays

register_long_arrays is also turned off by default in php5. The only reason to turn this setting to "on," would be to run older code on newer versions of PHP. Older PHP versions used "HTTP_GET_VARS" instead of code like "$_GET['']."