You could leave the setting to ON in your php.ini, and impose OFF on a
per-directory (account, domain, etc) basis with a .htaccess file (or
vice-versa), assuming you have Apache.

This will mean all new clients will have the setting to OFF, and will do
things "the right way" from day 1.  It will also allow existing clients to
modify their setting to OFF (as I do on a shared server) to keep things a
little more secure.

You could also advise all existing clients of a planned changeover in 12
months, offer code advise (including a simple function at the top of each
script can push all $_GET['var'], POST, SESSION, etc vars into standard
$vars), and document the many security holes and benefits of upgrading over

In 12 months, you can changeover to OFF in the php.ini file.  At which time
coding practices, books, websites, applications and all the rest will be
much more inline than they are now.

Justin French

on 01/07/02 1:12 AM, PHPCoder ([EMAIL PROTECTED]) wrote:

> Hi
> Going through some literature, it seems like the use of registered
> globals can cause security issues. Now, the dilemma, all my previous PHP
> installations ( for the last year or so ) have come with register
> globals = on in the php.ini file by default, and users on my system has
> happily coded their websites using this function.
> Now , with  all the new versions of PHP, the registered globals are
> turned off in the ini and will basically cause all those previous sites
> not to function. Which means that I'm between a rock and a hard place,
> turn the register globals back on and carry on with the security risks,
> or keep it off and have all those people re-code their sites...
> Is there a more "gentle" solution out there? Am I just misunderstanding
> the issue?
> Any light on the matter will be appreciated.
> Thanks

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to