I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?
REGISTER_GLOBALS
means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS
for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.