Intended Audience
Introduction
register_globals
How do the variables get to PHP?

From the URL

From a Form

From a Cookie

From the Environment or the Server
Use the superglobals!

Why are they called superglobals?
Other Coding Techniques

Ways to Hack
Summary
About The Author

Intended Audience
Prior to PHP 4.2.0, the default value for the PHP configuration parameter register_globals was On. Many PHP programmers took advantage of the ease of use this configuration provided.

This article is intended for PHP programmers who have, in the past, relied on the register_globals On, and now wish to change their coding style to reflect the new default for this parameter. It will also be of interest to programmers using an ISP hosted PHP environment where they do not control the values of the PHP configuration file.

Introduction
I consider one of the strengths of PHP the easy learning curve. PHP allows for embedding small portions of PHP into an HTML file, allowing HTML authors to ease into the language. PHP has a very C-like syntax, allowing for easy transition of programmers familiar with C. Weak variable typing, the flexibility and power of PHP many extensions, and abundant examples and articles on the Internet also contribute to the easy learning curve for PHP.

One recent change in PHP may increase the learning curve some. With the release of PHP 4.2.0, the default value for register_globals is now Off. This takes away one of the features that made PHP so easy to learn (a problem which it is the goal of this article to rectify).

Why was this done? In a word: security. You code is inherently more stable when you initialize and know where each variable in your source is coming from. Caution must always be taken when receiving input from a user, and allowing the user to arbitrarily make variables in your code is not good coding practice. This is perhaps better explained by the PHP developers themselves in http://www.php.net/release_4_1_0.php (see the section titled SECURITY: NEW INPUT MECHANISM) and http://www.php.net/manual/en/security.registerglobals.php.
register_globals
The register_globals configuration parameter is controlled in your php.ini file. See http://www.php.net/manual/en/configuration.php for more information on the configuration file. The register_globals parameter http://www.php.net/manual/en/configuration.php#ini.register-globals can take two values, On or Off. Prior to PHP version 4.2, On was the default, but this has now changed, and modifying your coding to accommodate this change is the subject of this article.

How do the variables get to PHP?
Experienced PHP programmers who have used URL query parameters, forms and cookies will find this section redundant, and may wish to go directly to the section on superglobals.

Variables come from many sources. Once source is initializing them yourself, $var = ’value’;. Described in the following sections are several other ways to get variables into your script, including as part of the URL, a form, a cookie, or part of the environment the server runs in. These examples are described from the perspective of a server using register_globals On, and you will learn later in the article how and where to get these values with register_globals Off.

From the URL
One of the most common ways to get information is by passing query parameters. The following is the anatomy of a URL (for more information on parsing a URL in PHP see http://www.php.net/manual/en/function.parse-url.php ):




Scheme controls the protocol used by the client and server for the request. Http and https are the most common protocols used, but you might specify another like ftp.
User and password information for basic HTTP authentication can be passed as part of the URL.
Host is the IP address or D