register_globals (Legacy Audit)
Also Known As
register_globals PHP
legacy PHP globals
removed PHP setting
TL;DR
A removed PHP setting that automatically created global variables from GET/POST/COOKIE input, enabling trivial variable injection attacks.
Explanation
register_globals, deprecated in PHP 5.3 and removed in PHP 5.4, caused all GET, POST, and COOKIE parameters to be injected as global variables. This meant a URL like ?isAdmin=1 would set $isAdmin = true in any script, trivially bypassing authentication. The setting is long removed, but legacy codebases running on outdated PHP versions or those migrated from old code may still contain logic that assumed register_globals behaviour. When auditing legacy PHP, check for uninitialised variable usage and assume any global variable may be attacker-controlled.
Common Misconception
✗ register_globals was a minor convenience feature. It was one of the most dangerous PHP defaults ever — it automatically injected all GET/POST/COOKIE values as global variables, making it trivial to inject malicious values into any uninitialized variable in the script.
Why It Matters
register_globals automatically created PHP variables from GET/POST/cookie data — removed in PHP 5.4 because it allowed attackers to inject arbitrary variables into scripts by crafting request parameters.
Common Mistakes
- Legacy code that relied on register_globals and was 'fixed' by adding extract($_REQUEST) — same vulnerability.
- Not auditing old codebases for implicit reliance on register_globals before upgrading PHP.
- Using extract() on user input as a compatibility shim — replicates the vulnerability exactly.
- Not understanding that modern code using proper $_GET/$_POST access is the secure replacement.
Code Examples
✗ Vulnerable
// register_globals equivalent — extract() on user input:
extract($_REQUEST); // ?admin=1 creates $admin = '1'
if ($admin) grantAccess(); // Bypassed via URL parameter
// Safe equivalent:
$admin = $_SESSION['is_admin'] ?? false; // Server-controlled, not user-supplied
✓ Fixed
; register_globals removed in PHP 5.4 — but know what it did:
; GET ?admin=1 would automatically create \$admin = 1
; This was a catastrophic security hole
; Modern PHP — always read from superglobals explicitly:
\$admin = (int) (\$_GET['admin'] ?? 0);
\$name = trim( \$_POST['name'] ?? '');
\$token = (string) (\$_COOKIE['tok'] ?? '');
; Validate every superglobal value — never trust raw input:
\$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if (!\$id) abort(400);Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
30
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 9
ChatGPT 6
Google 6
Perplexity 4
Ahrefs 2
Also referenced
How they use it
crawler 24
crawler_json 3
Related categories
⚡
DEV INTEL
Tools & Severity
🔴 Critical
⚙ Fix effort: High
⚡ Quick Fix
register_globals was removed in PHP 5.4 — if you're still supporting code that relied on it, migrate to explicit $_GET/$_POST/$_COOKIE access; any code using this is dangerously outdated
📦 Applies To
PHP 5.0+
web
🔗 Prerequisites
🔍 Detection Hints
Code using variables like $username without $_GET/$_POST prefix; legacy code written assuming request variables are available as globals
Auto-detectable:
✓ Yes
semgrep
rector
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Low
✗ Manual fix
Fix: High
Context: File
Tests: Update
CWE-473