Home/ Questions/Q 9068287
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T17:09:21+00:00

I know register globals should not be used but cannot quite understand why? For

  • 0

I know register globals should not be used but cannot quite understand why?

For example: this is the code that I find so often to demonstrate the security risk of using register globals while passing something like example.com?authorized=1 to the script:

if (authenticated_user()) 
{ 
$authorized = true; 
} 

if ($authorized) 
{ 
include '/highly/sensitive/data.php'; 
}

My question is if the user has to pass authorized=1 in the url he should be aware of the variable names that i use in my script, right? How is that possible?

Also isn’t a function like parse_str() which behaves somewhat similar to register globals a security risk too?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. The attacker may have access to your source code via another security hole or privacy breach.
    2. The attacker can guess. It’s pretty trivial to build a bot to enumerate all the plausible variables names and try them against thousands of php sites. (?authorized=1, ?login=1, ?access=1, etc.)

    EDIT

    In response to parse_str, it depends what exactly the use case is, but in general probably.
    If parse_str is passed any user provided content, then yes, absolutely it’s unsafe.

    There may be some legitimate use cases for it where the input provided is not user-provided, but in general I’d stay away from it.

    I would also say the same about extract: https://www.php.net/manual/en/function.extract.php

    • 0