From a security point of view, it’s not worth discussing the benefits and risks of using register_globals in PHP. It was just a matter of time the PHP team would completely remove this controversial feature. And so they did, register_globals had been deprecated as of PHP 5.3 and removed as of PHP 5.4.
Anyway, there are a few situations in which you would like to update to the latest PHP version (> 5.4) but not get lost of the register_globals feature – e.g. when you are not allowed to change the code of a script that requires register_globals = on or if it’s just too much (unpaid) work to find and edit all related code parts.
Assuming that you follow common security principles, this workaround will bring back register_globals functionality to PHP 5.4+:
- Create an empty file register_globals.php in your PHP include directory (e.g. /usr/share/php).
- Put this code into register_globals.php:
<?php extract($_REQUEST); ?>
- If you want to make more variables become global then simply add other global arrays, e.g.:
<?php
extract($_REQUEST);
extract($_SERVER);
extract($_SESSION);
?>
- Add this directive to the end of your php.ini:
auto_prepend_file = 'register_globals.php'
- Restart Apache:
sudo /etc/init.d/apache2 restart
- or
sudo apachectl restart