When register_globals is on, session variables overwrite global variables

First published on July 10, 2007

It is argued that there are many reasons why register_globals should be set to off on your PHP installation. It’s a bit of a security risk and allows you to code sloppily (although this is kind of nice for amateur coders like me).

However, another reason to avoid having register_globals set to on is a rather weird variable overwrite feature. If you use a session variable in a script with the same name as one of your global variables, the session variable will overwrite the global variable! Oddly, neither the GET nor POST variables affect the global variable in the same way…

$canadaday = 'July 1st';
$_SESSION['canadaday'] = 'July 2nd';

print '<p>When is Canada Day?</p>';
print '<p><strong>' . $canadaday . '</strong></p>';


(In this case, you should probably be using different variable names too.)

With register_globals set to on, Canada Day is erroneously on July 2nd…


One Response to “When register_globals is on, session variables overwrite global variables”

  1. Ken says:

    Thank you for this article! I have been wracking my brain over this one for a while!
    I’d have something similar to your canadaday or more commonly, I’d set some configuration variables using $GLOBALS['package']['subpackage'][… and use the same tree in $_SESSION for session dependent variables.

    Now I know I’m not going insane.

    Guess I’ll just have to code it the proper way with constants. Or use dots instead of sub-arrays.

Speak your mind

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word