Home/ Questions/Q 533255
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T09:29:25+00:00

I am not sure whether this would be good to be marked as community

  • 0

I am not sure whether this would be good to be marked as community wiki, but anyway:

Is there an easy way to kill the register_globals? I’m working on a PHP Framework and right now, I just set the script to terminate if register_globals is On. Although I prefer to force people to disable it, there are servers that still have that on.

I know that in PHP 5.3.0 register_globals is deprecated and in PHP 6 it will be completely removed, but it is always a good thing to deal with it while it is still here.

I saw some ways, and I’m currently thinking on using this:

$temp = array_merge($_GET, $_POST, $_COOKIE);
foreach($temp as $k => $v) {
    if(isset($$k)) unset($$k);
}

There are some problems over here, though. It is resource incentive, specially when there’s a lot of input data. I am not sure whether disabling it on runtime would work, for example:

ini_set('register_globals', 'Off')

Is there a better way that I haven’t heard of to get rid of register_globals? Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are methods of dealing with register_globals described in the PHP manual. The register_globals ini setting can’t be set at runtime by ini_set(), so if you can’t do it with an .htaccess or web server configuration file, the method provided there would be the official workaround.

    It basically provides this snippet of code to emulate compatibility:

    <?php
// Emulate register_globals off
function unregister_GLOBALS()
{
    if (!ini_get('register_globals')) {
        return;
    }

    // Might want to change this perhaps to a nicer error
    if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
        die('GLOBALS overwrite attempt detected');
    }

    // Variables that shouldn't be unset
    $noUnset = array('GLOBALS',  '_GET',
                     '_POST',    '_COOKIE',
                     '_REQUEST', '_SERVER',
                     '_ENV',     '_FILES');

    $input = array_merge($_GET,    $_POST,
                         $_COOKIE, $_SERVER,
                         $_ENV,    $_FILES,
                         isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
    
    foreach ($input as $k => $v) {
        if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
            unset($GLOBALS[$k]);
        }
    }
}

unregister_GLOBALS();

?>
    • 0