It’s been a long road and exactly five years (35 releases) since the much discussed and highly controversial PHP directive register_globals has been disabled by default in PHP. After sifting through the mailing list archives, the following set of information has been compiled. Feel free to make additions, corrections, and report register_globals memories!
First, a few tidbits
- As of today, April 22, 2007, register_globals has been disabled (by default) for five years. That’s when PHP 4.2.0 was released.
- PHP 3 did not have register_globals because it was simply how PHP behaved. However, some people used $HTTP_*_VARS if track_vars was on (it was on by default, and always on since PHP 4.0.3).
- You cannot set register_globals at runtime, and there have been at least 100 [deleted] user comments within the manual showing hacks how. This FAQ shows how. Don’t do it though.
- The order variables are registered via register_globals is determined by variables_order, a directive that also affects which variables (including superglobals) will exist in PHP. Don’t let the name fool you, this is one powerful PHP directive! In PHP 3, gpc_order was used instead.
- Most “Why PHP is insecure” articles show how to write insecure code with register_globals = on, and eventually register_globals (not poor programming) is blamed as the culprit. It rarely is.
- Strangely the 4.2.0 release announcement does not contain the string “register_globals” but of course it refers to it, and is highlighted in the ChangeLog.
- There’s plenty of code within cvsold.php.net that requires register_globals = on but that’s okay because it’s not a big concern. It however is slowly being updated.
A somewhat brief timeline
- Jan 01, 2000: It was briefly named gpc_globals, but renamed in PHP 4 Beta 4
- Apr 07, 2000: Zeev creates php.ini-recommended, it contains “register_globals = off” (Originally named php.ini-optimized)
- May 22, 2000: PHP 4.0.0 is released, and register_globals is born.
- Aug 23, 2000: It was first documented by James Moore.
- Sep 05, 2000: Rememberable quote: “… he who doesn’t do anything, doesn’t go wrong.” ~~ Zeev Suraski
- Sep 10, 2000: Zeev asked for register_globals and $HTTP_*_VARS to be well documented (Lars Torben Wilson does so immediately).
- Oct 11, 2000: PHP 4.0.3 is released, and the track_vars directive is removed so the $HTTP_*_VARS variables are now always defined. Also, the old school magical use of <? php_track_vars ?> is removed.
- Oct 20, 2000: The last version of PHP 3 is released (3.0.18).
- Jul 03, 2001: The paper “A Study In Scarlet” is written and passed around. This rapidly fueled anti-register_globals sentiment.
- Jul 07, 2001: After some discussion, Rasmus debunked it and explained why register_globals is not insecure. Thoughts of a filter mechanism start brewing.
- Jul 29, 2001: Rasmus submits a proposal for adding the super globals, and for a function that eventually becomes import_request_variables(). Also, this records the first use of the string “super-globals”
- Aug 03, 2001: A bug report asks about setting register_globals via ini_set() and the topic is documented a day later. You can’t, but people keep trying. Well you can, but it won’t be very useful.
- Aug 08, 2001: The register_globals = off change almost happened in PHP (4.0.7|4.1.0) but additional time was allowed to pass.
- Aug 11, 2001: A note is added to php.ini-dist referring to the security section in the manual, a section that advises register_globals = off
- Dec 05, 2001: Derick records the first use of the string “superglobals”
- Dec 10, 2001: PHP 4.1.0 is released thus giving birth to our superglobals. A warning about register_globals = on is provided, and register_globals is officially deprecated. The name autoglobals was also used for a while.
- Mar 06, 2002: Carl is born, and it’s generally hoped that he’ll live in a world free from register_globals and magical quotes.
- Apr 22, 2002: PHP 4.2.0 is released, PHP now defaults to register_globals = off!
- Apr 22, 2002: From this date forward, questions about why is $PHP_SELF empty, where is $foo, and the like are asked around the world. Many types of answers result but eventually users start understanding what happened and stop reading old outdated tutorials and books. Painful but in the end worth it. For it has been written, without pain there can be no gain.
- Jul 13, 2004: PHP 5.0.0 is released. From Beta 1 (Jun-29-2003) 2-3-4, RC 1 (Mar-18-2004) 2-3, to an eventual release. Also, the register_long_arrays directive is created which deprecates the $HTTP_*_VARS.
- Aug 12, 2005: A post titled PHP 6.0 Wishlist is submitted, and Rasmus wished for the removal of register_globals. As it turned out, everyone was hoping and thinking about the same wish. The thread is long.
- Mar 07, 2006: Pierre removes register_globals from CVS HEAD (PHP 6).
- Apr 22, 2007: The fifth year anniversary of register_globals being off by default, where has all the time gone?!
- Apr 22, 2007: SE results for register_globals (G! 2,830,000, Y! 1,740,000), and for superglobals (G! 75,400, Y! 71,600).
- Unknown 2008: PHP 6 is released, and register_globals no longer exists. RIP!
Happy 5th Anniversary “register_globals = off” … thank you for all the lengthy discussions and strong memories. It’s been a long and eventful ride!