Unfortunately there are a lot of hosting services that turn that setting ON, again, because... let me give you this example: a webdesign company thinks to start with PHP; in the beginning they don't know security and they produce 20 sites that are crap.

Later on, they learn not to make the same mistakes again and the following 50 sites avoid SOME security holes. But in the same time, they cannot turn register_globals OFF because the first 20 would crash and they are not smart enough to fix them... And the entire server must comply both with the first 20 crap and with the next 50.

Despite the fact I think PHP is the most secure language for web, this setting with register_globals was not a good idea... I was not supposed to exist even since the beginning.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/427/34770#34770