A brief unofficial history about register_globals in PHP

It’s been a long road and exactly five years (35 releases) since the much discussed and highly controversial PHP directive register_globals has been disabled by default in PHP. After sifting through the mailing list archives, the following set of information has been compiled. Feel free to make additions, corrections, and report register_globals memories!

First, a few tidbits

  • As of today, April 22, 2007, register_globals has been disabled (by default) for five years. That’s when PHP 4.2.0 was released.
  • PHP 3 did not have register_globals because it was simply how PHP behaved. However, some people used $HTTP_*_VARS if track_vars was on (it was on by default, and always on since PHP 4.0.3).
  • You cannot set register_globals at runtime, and there have been at least 100 [deleted] user comments within the manual showing hacks how. This FAQ shows how. Don’t do it though.
  • The order variables are registered via register_globals is determined by variables_order, a directive that also affects which variables (including superglobals) will exist in PHP. Don’t let the name fool you, this is one powerful PHP directive! In PHP 3, gpc_order was used instead.
  • Most “Why PHP is insecure” articles show how to write insecure code with register_globals = on, and eventually register_globals (not poor programming) is blamed as the culprit. It rarely is.
  • Strangely the 4.2.0 release announcement does not contain the string “register_globals” but of course it refers to it, and is highlighted in the ChangeLog.
  • There’s plenty of code within cvsold.php.net that requires register_globals = on but that’s okay because it’s not a big concern. It however is slowly being updated.

A somewhat brief timeline

  • Jan 01, 2000: It was briefly named gpc_globals, but renamed in PHP 4 Beta 4
  • Apr 07, 2000: Zeev creates php.ini-recommended, it contains “register_globals = off” (Originally named php.ini-optimized)
  • May 22, 2000: PHP 4.0.0 is released, and register_globals is born.
  • Aug 23, 2000: It was first documented by James Moore.
  • Sep 05, 2000: Rememberable quote: “… he who doesn’t do anything, doesn’t go wrong.~~ Zeev Suraski
  • Sep 10, 2000: Zeev asked for register_globals and $HTTP_*_VARS to be well documented (Lars Torben Wilson does so immediately).
  • Oct 11, 2000: PHP 4.0.3 is released, and the track_vars directive is removed so the $HTTP_*_VARS variables are now always defined. Also, the old school magical use of <? php_track_vars ?> is removed.
  • Oct 20, 2000: The last version of PHP 3 is released (3.0.18).
  • Jul 03, 2001: The paper “A Study In Scarlet” is written and passed around. This rapidly fueled anti-register_globals sentiment.
  • Jul 07, 2001: After some discussion, Rasmus debunked it and explained why register_globals is not insecure. Thoughts of a filter mechanism start brewing.
  • Jul 29, 2001: Rasmus submits a proposal for adding the super globals, and for a function that eventually becomes import_request_variables(). Also, this records the first use of the string “super-globals”
  • Aug 03, 2001: A bug report asks about setting register_globals via ini_set() and the topic is documented a day later. You can’t, but people keep trying. Well you can, but it won’t be very useful.
  • Aug 08, 2001: The register_globals = off change almost happened in PHP (4.0.7|4.1.0) but additional time was allowed to pass.
  • Aug 11, 2001: A note is added to php.ini-dist referring to the security section in the manual, a section that advises register_globals = off
  • Dec 05, 2001: Derick records the first use of the string “superglobals”
  • Dec 10, 2001: PHP 4.1.0 is released thus giving birth to our superglobals. A warning about register_globals = on is provided, and register_globals is officially deprecated. The name autoglobals was also used for a while.
  • Mar 06, 2002: Carl is born, and it’s generally hoped that he’ll live in a world free from register_globals and magical quotes.
  • Apr 22, 2002: PHP 4.2.0 is released, PHP now defaults to register_globals = off!
  • Apr 22, 2002: From this date forward, questions about why is $PHP_SELF empty, where is $foo, and the like are asked around the world. Many types of answers result but eventually users start understanding what happened and stop reading old outdated tutorials and books. Painful but in the end worth it. For it has been written, without pain there can be no gain.
  • Jul 13, 2004: PHP 5.0.0 is released. From Beta 1 (Jun-29-2003) 2-3-4, RC 1 (Mar-18-2004) 2-3, to an eventual release. Also, the register_long_arrays directive is created which deprecates the $HTTP_*_VARS.
  • Aug 12, 2005: A post titled PHP 6.0 Wishlist is submitted, and Rasmus wished for the removal of register_globals. As it turned out, everyone was hoping and thinking about the same wish. The thread is long.
  • Mar 07, 2006: Pierre removes register_globals from CVS HEAD (PHP 6).
  • Apr 22, 2007: The fifth year anniversary of register_globals being off by default, where has all the time gone?!
  • Apr 22, 2007: SE results for register_globals (G! 2,830,000, Y! 1,740,000), and for superglobals (G! 75,400, Y! 71,600).
  • Unknown 2008: PHP 6 is released, and register_globals no longer exists. RIP!

Happy 5th Anniversary “register_globals = off” … thank you for all the lengthy discussions and strong memories. It’s been a long and eventful ride!

148 Comments to “A brief unofficial history about register_globals in PHP”

  1. Hilton 4 July 2014 at 05:17 #

    I knew at this stage that I should eat, shower, dress and be prepared for an emergency trip on the Vet if her condition failed to improve, or heaven forbid, become worse. Business meeting space: Conference rooms and offices can be rented at short notice on hourly, daily or weekly basis for meetings. However, the depression also became have a very beneficial affect on the company Mrs.

  2. Augusta 5 July 2014 at 03:21 #

    Remarkable things here. I am very happy to see your post. Thank you a lot and I’m having a look forward to touch you. Will you please drop me a e-mail?

  3. buy instagram followers 6 July 2014 at 02:19 #

    Hurrah, that’s what I was searching for, what a information! existing here at this weblog, thanks admin of
    this website.

  4. Connor 6 July 2014 at 10:18 #

    Wonderful article! That is the type of info that are meant to be shared around the internet. Disgrace on Google for not positioning this post upper! Come on over and discuss with my web site . Thanks =)

  5. Imogene 7 July 2014 at 16:06 #

    Hi, I do believe your website could possibly be having web browser compatibility problems. Whenever I take a look at your site in Safari, it looks fine but when opening in Internet Explorer, it’s got some overlapping issues. I just wanted to give you a quick heads up! Besides that, fantastic site!
    gbxrV customized writing companies sNrRS

  6. Everett 7 July 2014 at 16:14 #

    If some one wishes to be updated with most recent technologies afterward he must be visit this website and be up to date everyday.
    QuvIN services getting flustered tVSZI

  7. Refugio 7 July 2014 at 19:02 #

    I enjoy what you guys tend to be up too. This type of clever work and coverage! Keep up the terrific works guys I’ve you guys to my own blogroll.
    Zqtlw write document MyMae

  8. John 7 July 2014 at 21:50 #

    This site was… how do you say it? Relevant!! Finally I’ve found something that helped me. Kudos!
    nwDZA essay writing consultancy UvbZx

  9. Wally 7 July 2014 at 23:56 #

    My brother recommended I may like this blog. He was entirely right. This submit actually made my day. You can not imagine just how so much time I had spent for this information! Thank you!
    drewa attractive essay ZsyLH

  10. Daniella 8 July 2014 at 19:30 #

    Everything is very open with a really clear description of the challenges. It was definitely informative. Your site is useful. Thank you for sharing!

  11. 2013.07.16 9 July 2014 at 07:44 #

    My coder is trying to convince me to move to .net from PHP. I have always disliked the idea because of the expenses. But he’s tryiong none the less. I’ve been using Movable-type on various websites for about a year and am anxious about switching to another platform. I have heard excellent things about blogengine.net. Is there a way I can transfer all my wordpress content into it? Any kind of help would be really appreciated!
    no fax fast cash pay day loan paperless payday loans

  12. Katherine 9 July 2014 at 21:58 #

    Right away I am ready to do my breakfast, afterward having my breakfast coming again to read more news.
    online cash advance cash loan door to door loans

  13. Emilia 10 July 2014 at 00:10 #

    Good day I am so grateful I found your webpage, I really found you by error, while I was searching on Digg for something else, Regardless I am here now and would just like to say thank you for a remarkable post and a all round entertaining blog (I also love the theme/design), I don’t have time to read it all at the minute but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the superb work.

  14. best digital camera 2014 10 July 2014 at 00:20 #

    Its like you read my mind! You appear to know a lot about this, like you wrote the book in it
    or something. I think that you can do with some pics to drive
    the message home a bit, but other than that, this is
    wonderful blog. An excellent read. I’ll definitely be back.

  15. Nicki 10 July 2014 at 21:56 #

    I think the admin of this web site is actually working hard in support of his web page, as here every information is quality based data.
    500 cash loans instant loans no credit check no fax fast cash

  16. Janette 11 July 2014 at 03:49 #

    It even provides you an ideal opportunity to enjoy all of your preferred channels like, ESPN, Discovery, CNN, Cartoon Network etc in high definition mode. Services include fully integrated systems solutions, closed circuit television, access control systems, intrusion alarm systems, fire detection systems and UL monitoring station. It all depends on the quality of the video footage you want and how smooth a motion you desire.

  17. Catherine 11 July 2014 at 16:12 #

    Hey there would you mind stating which blog platform you’re working with? I’m going to start my own blog in the near future but I’m having a difficult time selecting between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something unique. P.S My apologies for getting off-topic but I had to ask!
    pay day one instant loans no credit check payday loans online without fax

  18. Marylin 11 July 2014 at 16:17 #

    Pretty great post. I just stumbled upon your weblog and wished to mention that I’ve truly enjoyed browsing your blog posts. After all I will be subscribing for your feed and I am hoping you write once more soon!
    paperless payday loans credit cards unsecured personal loans

  19. Enriqueta 12 July 2014 at 02:06 #

    I visited several web sites however the audio quality for audio songs current at this web site is really superb.
    pay day advance unsecured personal loans pounds till payday

  20. Rickey 12 July 2014 at 02:27 #

    Wow, wonderful blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your web site is excellent, as well as the content!
    when to get payday loan cash advance companies loan sharks

  21. Jimmie 12 July 2014 at 19:04 #

    If you wish for to obtain much from this piece of writing then you have to apply such methods to your won weblog.

  22. Adrianne 13 July 2014 at 00:03 #

    The victims are contacted and told they must pay a ransom correctly to cease. maintains secure systems that drive back theft — internal or external. In pooled mining multiple clients contribute for the generation of an block, and after that split the block reward according towards the quantity of contributed processing power.

  23. Eleanor 13 July 2014 at 07:05 #

    The videos of the D3200 offers decent color reproduction, but the 1080p resolution and relatively large with particular frequency 25 Hz frame and rough. This package includes one Control unit that plugs into the wall and into the phone jack and one alarm that can be attached to a door or window as well as a motion detector that will sound loudly when an intruder crosses its path. At the same time, the security systems can also discover and monitor the internal theft, misbehavior and crime.

  24. Robert 13 July 2014 at 14:46 #

    With havin so much content and articles do you ever run into any problems of plagorism or copyright violation? My site has a lot of unique content I’ve either authored myself or outsourced but it appears a lot of it is popping it up all over the internet without my agreement. Do you know any ways to help prevent content from being stolen? I’d definitely appreciate it.

  25. spirulina tabletki 13 July 2014 at 16:45 #

    Advantages And Negatives Of Obtaining A Residence Swimming
    Pool and spirulina protein powder. Advantages And Negatives
    Of Obtaining A Residence Swimming Pool

  26. Peter 13 July 2014 at 20:03 #

    What’s up to every body, it’s my first visit of this webpage; this blog contains awesome and genuinely fine information in favor of readers.

  27. Everett 13 July 2014 at 22:57 #

    It is good to know that you can invest numerous retirement assets for your IRA account aside from the conventional assets. If it just won’t work in the new place, we are forced to sell it, trash it, or give it away. Armed with this information, my suggestion is to do what makes the most sense for you.

  28. Gayle 14 July 2014 at 05:47 #

    Have you ever considered about including a little bit more than just your articles? I mean, what you say is important and all. However think about if you added some great photos or video clips to give your posts more, “pop”! Your content is excellent but with images and clips, this website could undeniably be one of the best in its field. Awesome blog!

  29. Earle 14 July 2014 at 06:34 #

    If one seo company says that they can do it for a small monthly price, and another quotes you a very high price, you need to consider the track record of the seo company itself at providing good results (ask to see their client list and contact their clients) and you also need to consider the value of the keywords they are telling you they will try to get you rankings for. Even if your online business doesn’t rely on e – Commerce (an advertising based business, for example), security is still equally important. you’ll see several text-based web site templates on the online.

  30. maseczka ze spiruliny 14 July 2014 at 07:11 #

    3 Primary Factors You Should Find Strategies To Swim and spirulina books.
    3 Primary Factors You Should Find Strategies To Swim

  31. Abraham 14 July 2014 at 14:26 #

    There’s definately a lot to learn about this subject. I love all of the points you have made.

  32. Kelsey 14 July 2014 at 19:10 #

    My programmer is trying to persuade me to move to .net from PHP. I have always disliked the idea because of the costs. But he’s tryiong none the less. I’ve been using Movable-type on a variety of websites for about a year and am anxious about switching to another platform. I have heard great things about blogengine.net. Is there a way I can import all my wordpress content into it? Any kind of help would be really appreciated!

  33. Bryce 15 July 2014 at 03:06 #

    This paragraph offers clear idea in support of the new users of blogging, that in fact how to do blogging.

  34. Bonnie 18 July 2014 at 23:42 #

    It’s enormous that you are getting ideas from this piece of writing as well as from our argument made at this place.

  35. Grover 18 July 2014 at 23:53 #

    Excellent website. Plenty of useful info here. I’m sending it to a few pals ans additionally sharing in delicious. And of course, thank you to your effort!

  36. Collette 19 July 2014 at 00:04 #

    What a stuff of un-ambiguity and preserveness of valuable experience about unexpected feelings.

  37. Caitlyn 20 July 2014 at 00:12 #

    Excellent pieces. Keep writing such kind of information on your page. Im really impressed by your site.
    Hey there, You’ve performed an incredible job. I will definitely digg it and in my view recommend to my friends. I am confident they will be benefited from this web site.

  38. Romaine 20 July 2014 at 22:09 #

    Terrific post but I was wondering if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit more. Thank you!

  39. Leonie 20 July 2014 at 23:30 #

    I would like to thank you for the efforts you’ve put in penning this website. I really hope to check out the same high-grade content from you later on as well. In fact, your creative writing abilities has inspired me to get my own, personal website now ;)

  40. Misty 21 July 2014 at 00:21 #

    Hello very nice blog!! Man .. Excellent .. Wonderful .. I will bookmark your site and take the feeds also? I’m glad to seek out so many helpful information right here within the put up, we want work out more techniques on this regard, thank you for sharing. . . . . .

  41. the coolest dude in the world 21 July 2014 at 21:41 #

    Great post. I wwas checkinmg constantly this weblo and I
    am impressed! Very helpful information particularly the ultimate part :) I take care
    of suh information a lot. I was seeking this partficular information for
    a very long time. Thank you and good luck.

  42. Kris 21 July 2014 at 21:45 #

    The Bosch SHE47C05UC Stainless Steel Dishwasher is a fire starts from a different model that suits your requirements which will be done with ease miele washer repairs of use. You can attain various advantages from these products are available. Check the timer with wires.

  43. Melinda 21 July 2014 at 22:16 #

    Greetings I am so grateful I found your site, I really found you by mistake, while I was browsing on Aol for something else, Anyhow I am here now and would just like to say many thanks for a marvelous post and a all round thrilling blog (I also love the theme/design), I don’t have time to look over it all at the minute but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the superb b.

  44. Rosaura 22 July 2014 at 00:58 #

    Hello there! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in exchanging links or maybe guest authoring a blog post or vice-versa? My site goes over a lot of the same topics as yours and I believe we could greatly benefit from each other. If you might be interested feel free to send me an e-mail. I look forward to hearing from you! Terrific blog by the way!

  45. Blake 22 July 2014 at 02:40 #

    Hello I am so delighted I found your blog, I really found you by accident, while I was looking on Bing for something else, Nonetheless I am here now and would just like to say cheers for a tremendous post and a all round thrilling blog (I also love the theme/design), I don’t have time to browse it all at the moment but I have saved it and also added in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the superb work.

  46. Marcelo 22 July 2014 at 02:56 #

    Thanks for the auspicious writeup. It in truth was a amusement account it. Look complicated to more delivered agreeable from you! By the way, how can we be in contact?

  47. Douglas 22 July 2014 at 03:06 #

    It’s difficult to find well-informed people about this topic, however, you seem like you know what you’re talking about! Thanks

  48. Sommer 22 July 2014 at 06:33 #

    Hello there, just became alert to your blog through Google, and found that it is truly informative. I’m going to watch out for brussels. I’ll be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!
    pounds till payday loans no direct deposit business loan

Leave a Reply