register_globals is evil

  2005-08-11


Disclaimer: I am not a PHP security expert. The open source PHP web application I develop, OpenIT isn’t exactly a poster child for best security practices.

I enjoyed reading Stefan Esser’s blog: register_globals is not evil, and I agree with many of the things he wrote. In fact the main problem I have with his article is the title. A more accurate (but less fun) title would be “register_globals is evil, but plan for it.”

In my humble opinion register_globals is one of the worst language “features” PHP has. Under no circumstances should it be used, and every night when I say my prayers I ask God to deprecate it in future versions of PHP. The ability for users to override/create arbitrary variables in a PHP application is frightening, and “C does it too!” is never appropriate to say in a discussion about security.

Stefan has some excellent points about how assuming register_globals is off in your web apps is the real security threat. As long as the evil that is register_globals exists in this world, PHP applications will have to contiue wasting their time protecting against it.

Unfortunately, OpenIT is one of these offending applications… I just committed a new .htaccess file to turn register_globals off, but this probably isn’t enough.