Quote:
|
Originally Posted by justsexxx
Just curious, what does this do?(or why you prefer off?)
|
Copying from php.net (
http://php.net/register_globals ):
Quote:
Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.
When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this.
|
Basically, having it on increases the chance of badly written code creating security risks. Well-written code does not suffer from this, but turning it on increases chances of some random php script on your server becoming a security risk, possibly putting your entire server security at risk. The thing is, well-written code doesn't need register_globals on in the first place, so it isn't generally worth the trouble of turning it on.
That coupled with the fact that the default is now "off" (which means that on any recent php installation, you'll actually need to make changes that lower security for this) makes me doubt the competence of any programmer requiring it to be "on".