CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

register_globals Era & Why It Was Dangerous

php PHP 3.0+ Intermediate

TL;DR

PHP 4 shipped with register_globals=On by default — injecting GET/POST/COOKIE values as global variables, making PHP synonymous with insecurity until it was off-by-default in PHP 4.2.

Explanation

register_globals was on by default in PHP 3 and PHP 4.0-4.1. PHP 4.2 (2002) turned it off by default — a turning point for PHP security. Before that: every GET/POST/COOKIE param became a global. Millions of PHP apps had auth bypass vulnerabilities. The history: PHP was designed for small scripts, security was an afterthought. The shift to off-by-default caused enormous backlash (many apps broke) but was essential. register_globals was deprecated in PHP 5.3 and removed in PHP 5.4. It's the single biggest security mistake in PHP's history.

Common Misconception

register_globals was a minor issue — it made every PHP app before 2002 trivially vulnerable to authentication bypass and was responsible for thousands of exploits.

Why It Matters

Understanding the register_globals era explains why PHP has a reputation for insecurity and why modern PHP security practices (explicit input validation) are so emphasised.

Common Mistakes

  • Not auditing inherited legacy code for register_globals assumptions.
  • Assuming all PHP before 5.4 is safe if register_globals was off — other security issues remained.

Code Examples

✗ Vulnerable 
// PHP with register_globals=On:
// URL: ?admin=1 sets $admin=1
if ($admin) {
    echo 'Welcome, administrator'; // Auth bypass!
}
✓ Fixed 
// Modern: always explicit:
$isAdmin = (bool)($_SESSION['is_admin'] ?? false);
if ($isAdmin) {
    echo 'Welcome, administrator';
}
Added 23 Mar 2026
Views 19

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Unknown AI 4 Google 3 Perplexity 2 ChatGPT 1 Ahrefs 1
Also referenced
Input Validation vs Output Encoding 32 PHP 4 — Zend Engine 1, Classes Without OOP 26 Safe Mode Removal & Modern Alternatives 23 register_globals Risk & Legacy Code 20
How they use it
crawler 14 crawler_json 1 pre-tracking 2
Related categories
php 6.7k security 4.3k general 1.5k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Historical context. For legacy code: audit all variables for explicit superglobal assignment. Never rely on implicit variable creation.
📦 Applies To
PHP 3.0+ web
🔗 Prerequisites
🔍 Detection Hints
register_globals
Auto-detectable: ✓ Yes phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-473 CWE-284
✓ schema.org compliant