Schlagwort-Archive: security

Using register_globals in PHP 5.5

From a security point of view, it’s not worth discussing the benefits and risks of using register_globals in PHP. It was just a matter of time the PHP team would completely remove this controversial feature. And so they did, register_globals had been deprecated as of PHP 5.3 and removed as of PHP 5.4.

Anyway, there are a few situations in which you would like to update to the latest PHP version (> 5.4) but not get lost of the register_globals feature – e.g. when you are not allowed to change the code of a script that requires register_globals = on or if it’s just too much (unpaid) work to find and edit all related code parts.

Assuming that you follow common security principles, this workaround will bring back register_globals functionality to PHP 5.4+:

  • Create an empty file register_globals.php in your PHP include directory (e.g. /usr/share/php).
  • Put this code into register_globals.php:
<?php extract($_REQUEST); ?>
  • If you want to make more variables become global then simply add other global arrays, e.g.:
<?php 
extract($_REQUEST);
extract($_SERVER);
extract($_SESSION);
?>
  • Add this directive to the end of your php.ini:
auto_prepend_file = 'register_globals.php'
  • Restart Apache:
sudo /etc/init.d/apache2 restart
  • or
sudo apachectl restart