CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

register_globals (Legacy Audit)

PHP CWE-473 OWASP A3:2021 CVSS 9.8 PHP 5.0+ Beginner
debt(d5/e7/b7/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5), since semgrep/rector can flag uninitialized variable usage and extract($_REQUEST) patterns, but the symptom is silent in legacy code — variables just appear to work.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7), because every variable usage that implicitly depended on globals must be rewritten to explicit $_GET/$_POST/$_COOKIE access throughout the legacy codebase.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7), since register_globals reliance shapes how every script reads input — applies_to web context broadly, and removing it touches the entire request-handling surface.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), per the misconception: developers mistake it for a minor convenience when it's actually a system-wide injection vector; the 'compatibility shim' extract($_REQUEST) recreates the exact vulnerability.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

register_globals PHP legacy PHP globals removed PHP setting

TL;DR

A removed PHP setting that automatically created global variables from GET/POST/COOKIE input, enabling trivial variable injection attacks.

Explanation

register_globals, deprecated in PHP 5.3 and removed in PHP 5.4, caused all GET, POST, and COOKIE parameters to be injected as global variables. This meant a URL like ?isAdmin=1 would set $isAdmin = true in any script, trivially bypassing authentication. The setting is long removed, but legacy codebases running on outdated PHP versions or those migrated from old code may still contain logic that assumed register_globals behaviour. When auditing legacy PHP, check for uninitialised variable usage and assume any global variable may be attacker-controlled.

Common Misconception

register_globals was a minor convenience feature. It was one of the most dangerous PHP defaults ever — it automatically injected all GET/POST/COOKIE values as global variables, making it trivial to inject malicious values into any uninitialized variable in the script.

Why It Matters

register_globals automatically created PHP variables from GET/POST/cookie data — removed in PHP 5.4 because it allowed attackers to inject arbitrary variables into scripts by crafting request parameters.

Common Mistakes

  • Legacy code that relied on register_globals and was 'fixed' by adding extract($_REQUEST) — same vulnerability.
  • Not auditing old codebases for implicit reliance on register_globals before upgrading PHP.
  • Using extract() on user input as a compatibility shim — replicates the vulnerability exactly.
  • Not understanding that modern code using proper $_GET/$_POST access is the secure replacement.

Code Examples

✗ Vulnerable 
// register_globals equivalent — extract() on user input:
extract($_REQUEST); // ?admin=1 creates $admin = '1'
if ($admin) grantAccess(); // Bypassed via URL parameter

// Safe equivalent:
$admin = $_SESSION['is_admin'] ?? false; // Server-controlled, not user-supplied
✓ Fixed 
; register_globals removed in PHP 5.4 — but know what it did:
; GET ?admin=1 would automatically create $admin = 1
; This was a catastrophic security hole

; Modern PHP — always read from superglobals explicitly:
$admin = (int)    ($_GET['admin']  ?? 0);
$name  = trim(    $_POST['name']   ?? '');
$token = (string) ($_COOKIE['tok'] ?? '');

; Validate every superglobal value — never trust raw input:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if (!$id) abort(400);
Added 15 Mar 2026
Edited 13 Jun 2026
Views 51

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 1 ping S 2 pings M 0 pings T 2 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Scrapy 8 ChatGPT 6 Google 6 Perplexity 4 Ahrefs 4 Bing 2 Claude 1 Meta AI 1 SEMrush 1 PetalBot 1
Also referenced
Input Validation vs Output Encoding 118 extract() — Dangerous Variable Injection 84 Superglobals ($_GET, $_POST, $_SERVER…) 37
How they use it
crawler 40 crawler_json 4
Related categories
php 13.2k general 3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
register_globals was removed in PHP 5.4 — if you're still supporting code that relied on it, migrate to explicit $_GET/$_POST/$_COOKIE access; any code using this is dangerously outdated
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Code using variables like $username without $_GET/$_POST prefix; legacy code written assuming request variables are available as globals
Auto-detectable: ✓ Yes semgrep rector
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-473
✓ schema.org compliant