PHP $_GET['X'] as $X by default

Question

I have been learning PHP on my own and I've used a web host account to test my scripts, where they have register_globals on by default. I know that this is not secure but I haven't bothered when just testing sample code.

Now I'm working on a small live site for a non-profit organization I'm a member of and the host they are using have register_globals off by default, as it should be.

So, now my question. I have been used to this working (with register_globals on):

Presume we are loading index.php?pID=1. The code of index.php will contain this row:

if($pID==1) include('content1.php');

Note that I've used $pID and not $_GET['pID'] and that I haven't assigned $_GET['pID'] to $pID anywhere in my code. This has worked fine anyway. So (of course) I'm wondering if it's because of register_globals being off that this is suddenly not working when I'm using the same code on my orgs host?

If so, is there a work-around to make superglobals magic again or do I have to live with manually assigning all $_GET variables to my own globals?

Answer 1

DO NOT attempt to implement register_globals, it is a massive security hole and never should have been implemented in the first place. Hence why it was deprecated in PHP 5.3 and removed in PHP 5.4.

You don't need to re-assign your variables, just replace them with the $_GET equivalents. I.E.

if($pID==1) include('content1.php');

should become

if($_GET['pID']==1) include('content1.php');

---

To demonstrate why register_globals was bad, take a look at this simplified example:

if(login_success('admin')) {
  $admin = 1;
}

if($admin == 1) {
  require('super-secret-admin-file.php');
}

Because $admin is never initialized anywhere, if register_globals was on and you opened file.php?admin=1 you would gain access to the admin section of the site regardless of if you are an admin or not.