For security reasons, it is recommended to disable register_globals PHP flag your PHP environment. Many PHP applications such as Joomla, Drupal, and phpBB perform a check for this during its installation and makes the same recommendation.
However, due to the variety of PHP setups and webhost server settings, as well as the multiple ways of disabling this flag, trying to disable this flag can require a bit of trial and error and patience. But the effort is worth it and hopefully this article can provide some resources that will show you the various ways that you can try to disable this flag.
register_globals is a setting (sometime known as a flag) in your PHP environment. It is typically set in the PHP configuration file known as php.ini file. This setting can have a value of "on" or "off". An "on" value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
A better setting is to set it to be "off" so that if PHP code requires specific server variables or query string, the developer needs to explicitly write lines of code to get those information as oppose to it be automatically available as in the former case.
More information found on Wikibooks.org and PHP Manual.
You can put up a temporary PHP page with the phpinfo() function call to display your PHP settings. But make sure to immediately remove that page after viewing.
Webserver running PHP will have a master php.ini file. Some webhost will not allow you to change this file. But you may be able to create a custom php.ini file that overrides the settings of the master php.ini.
You do this by creating a php.ini in your webroot directory or in your php application directory. Some webhost may require this custom php.ini file to be copied to all sub-directories [reference].
In this custom php.ini file, put in the one line of code ...
register_globals = off
To learn more about php.ini, see ...
Using a php.ini file
PHP Manual
If you do not want to or can not change your php.ini. You may sometimes be able to adjust the register_globals setting via the .htaccess file as described in the below:
This support thread shows the use of ...
php_flag register_globals 0
Another thread shows the use of ...
php_flag register_globals off
But this may or may not work and sometimes you get a 500 server error as explained in this thread.
Different webhosts may have different method that works.
Changing register_globals for GoDaddy
Changing register_globals for Dreamhost
See item 7 of BlueHost support about tweaking php.ini
Here is some ways to try to adjust register_globals setting for phpBB, Joomla, and Drupal.
