A brief unofficial history about register_globals in PHP

It’s been a long road and exactly five years (35 releases) since the much discussed and highly controversial PHP directive register_globals has been disabled by default in PHP. After sifting through the mailing list archives, the following set of information has been compiled. Feel free to make additions, corrections, and report register_globals memories!

First, a few tidbits

  • As of today, April 22, 2007, register_globals has been disabled (by default) for five years. That’s when PHP 4.2.0 was released.
  • PHP 3 did not have register_globals because it was simply how PHP behaved. However, some people used $HTTP_*_VARS if track_vars was on (it was on by default, and always on since PHP 4.0.3).
  • You cannot set register_globals at runtime, and there have been at least 100 [deleted] user comments within the manual showing hacks how. This FAQ shows how. Don’t do it though.
  • The order variables are registered via register_globals is determined by variables_order, a directive that also affects which variables (including superglobals) will exist in PHP. Don’t let the name fool you, this is one powerful PHP directive! In PHP 3, gpc_order was used instead.
  • Most “Why PHP is insecure” articles show how to write insecure code with register_globals = on, and eventually register_globals (not poor programming) is blamed as the culprit. It rarely is.
  • Strangely the 4.2.0 release announcement does not contain the string “register_globals” but of course it refers to it, and is highlighted in the ChangeLog.
  • There’s plenty of code within cvsold.php.net that requires register_globals = on but that’s okay because it’s not a big concern. It however is slowly being updated.

A somewhat brief timeline

  • Jan 01, 2000: It was briefly named gpc_globals, but renamed in PHP 4 Beta 4
  • Apr 07, 2000: Zeev creates php.ini-recommended, it contains “register_globals = off” (Originally named php.ini-optimized)
  • May 22, 2000: PHP 4.0.0 is released, and register_globals is born.
  • Aug 23, 2000: It was first documented by James Moore.
  • Sep 05, 2000: Rememberable quote: “… he who doesn’t do anything, doesn’t go wrong.~~ Zeev Suraski
  • Sep 10, 2000: Zeev asked for register_globals and $HTTP_*_VARS to be well documented (Lars Torben Wilson does so immediately).
  • Oct 11, 2000: PHP 4.0.3 is released, and the track_vars directive is removed so the $HTTP_*_VARS variables are now always defined. Also, the old school magical use of <? php_track_vars ?> is removed.
  • Oct 20, 2000: The last version of PHP 3 is released (3.0.18).
  • Jul 03, 2001: The paper “A Study In Scarlet” is written and passed around. This rapidly fueled anti-register_globals sentiment.
  • Jul 07, 2001: After some discussion, Rasmus debunked it and explained why register_globals is not insecure. Thoughts of a filter mechanism start brewing.
  • Jul 29, 2001: Rasmus submits a proposal for adding the super globals, and for a function that eventually becomes import_request_variables(). Also, this records the first use of the string “super-globals”
  • Aug 03, 2001: A bug report asks about setting register_globals via ini_set() and the topic is documented a day later. You can’t, but people keep trying. Well you can, but it won’t be very useful.
  • Aug 08, 2001: The register_globals = off change almost happened in PHP (4.0.7|4.1.0) but additional time was allowed to pass.
  • Aug 11, 2001: A note is added to php.ini-dist referring to the security section in the manual, a section that advises register_globals = off
  • Dec 05, 2001: Derick records the first use of the string “superglobals”
  • Dec 10, 2001: PHP 4.1.0 is released thus giving birth to our superglobals. A warning about register_globals = on is provided, and register_globals is officially deprecated. The name autoglobals was also used for a while.
  • Mar 06, 2002: Carl is born, and it’s generally hoped that he’ll live in a world free from register_globals and magical quotes.
  • Apr 22, 2002: PHP 4.2.0 is released, PHP now defaults to register_globals = off!
  • Apr 22, 2002: From this date forward, questions about why is $PHP_SELF empty, where is $foo, and the like are asked around the world. Many types of answers result but eventually users start understanding what happened and stop reading old outdated tutorials and books. Painful but in the end worth it. For it has been written, without pain there can be no gain.
  • Jul 13, 2004: PHP 5.0.0 is released. From Beta 1 (Jun-29-2003) 2-3-4, RC 1 (Mar-18-2004) 2-3, to an eventual release. Also, the register_long_arrays directive is created which deprecates the $HTTP_*_VARS.
  • Aug 12, 2005: A post titled PHP 6.0 Wishlist is submitted, and Rasmus wished for the removal of register_globals. As it turned out, everyone was hoping and thinking about the same wish. The thread is long.
  • Mar 07, 2006: Pierre removes register_globals from CVS HEAD (PHP 6).
  • Apr 22, 2007: The fifth year anniversary of register_globals being off by default, where has all the time gone?!
  • Apr 22, 2007: SE results for register_globals (G! 2,830,000, Y! 1,740,000), and for superglobals (G! 75,400, Y! 71,600).
  • Unknown 2008: PHP 6 is released, and register_globals no longer exists. RIP!

Happy 5th Anniversary “register_globals = off” … thank you for all the lengthy discussions and strong memories. It’s been a long and eventful ride!

165 Comments to “A brief unofficial history about register_globals in PHP”

  1. best commercials 24 July 2014 at 01:24 #

    Hi there! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing a blog article or vice-versa?
    My blog discusses a lot of the same subjects as yours and I feel we could greatly benefit from each other.

    If you might be interested feel free to shoot me an email.
    I look forward to hearing from you! Awesome blog
    by the way!

  2. Mae 25 July 2014 at 00:37 #

    Hey there! I know this is somewhat off-topic but I had to ask. Does running a well-established website like yours take a lot of work? I’m brand new to running a blog but I do write in my journal everyday. I’d like to start a blog so I can easily share my personal experience and feelings online. Please let me know if you have any kind of suggestions or tips for brand new aspiring blog owners. Appreciate it!

  3. Petra 25 July 2014 at 00:57 #

    Hi there, every time i used to check website posts here in the early hours in the break of day, because i enjoy to find out more and more.

  4. Mervin 25 July 2014 at 10:49 #

    This is very interesting, You’re an overly skilled blogger. I have joined your feed and look ahead to in quest of more of your wonderful post. Additionally, I have shared your website in my social networks

  5. Errol 25 July 2014 at 11:56 #

    Bin hire Frankston by their wonderful service supports you to live in a safe and secured environment which is free from any diseases or health problems. If you are still unsure of what bin size to go for, then it is always best to choose the larger option just in case. If the shrubs are actively growing, prune any species of shrub that will quickly sprout new growth to 60% or so of the “best” size for the space it is in.

  6. Davida 25 July 2014 at 18:58 #

    They can be happening for a number of reasons, but the most common ones are software bugs. Outside of the consumer world enterprises have spent and continue to invest millions of dollars every year on enhancing corporate video conferencing from committed video conference rooms, Telepresence suites to desktop as well as the emerging mobile video conferencing. Step 4: Disconnected phone, turned off USB debugging.

  7. Myron 25 July 2014 at 19:17 #

    We are a bunch of volunteers and starting a brand new scheme in our community. Your site offered us with helpful information to work on. You have performed an impressive activity and our whole neighborhood will probably be thankful to you.

  8. Alisia 25 July 2014 at 20:10 #

    For most up-to-date information you have to pay a quick visit web and on web I found this website as a best website for latest updates.

  9. Kandace 25 July 2014 at 22:45 #

    This is my first time pay a quick visit at here and i am really impressed to read all at single place.

  10. Cornelius 26 July 2014 at 04:24 #

    Everything published was actually very reasonable. However, what about this? what if you wrote a catchier post title? I am not saying your content is not solid., however what if you added a headline that grabbed a person’s attention? I mean A brief unofficial history about register_globals in PHP is kinda plain. You might peek at Yahoo’s home page and note how they create news titles to grab people interested. You might add a video or a pic or two to grab people excited about everything’ve written. In my opinion, it would bring your blog a little livelier.
    Athlete Newswire home business business profiles

  11. Katharina 26 July 2014 at 11:15 #

    My brother suggested I may like this blog. He was once entirely right. This post actually made my day. You can not believe simply how so much time I had spent for this information! Thank you!

  12. Lasonya 26 July 2014 at 22:27 #

    I read this post fully regarding the resemblance of latest and previous technologies, it’s awesome article.

  13. Josephine 27 July 2014 at 04:29 #

    Once you are ready to get started, have fun experimenting with what social sites can do to help drive and build your business. To make your video, you have to do some planning before you start recording. Length of your video is one easy thing to remember when optimizing for You – Tube.

  14. Marquita 27 July 2014 at 14:31 #

    Good post. I learn something totally new and challenging on sites I stumbleupon everyday. It’s always helpful to read articles from other authors and use something from other websites.

  15. Lela 27 July 2014 at 20:20 #

    Ice Cream Gift BasketsAre you looking for a single more powerful motor and the more loads of utensils in few minutes to get your clothes whenever you make your final purchasing decision. As far as you just whirlpool dryer repair know they will be necessary. I put my sterling in the machine. When the dryer before adding any new ones. It has a quiet dishwasher for an extremely dirty situation that can be subject to price changes.

Leave a Reply