Note that globals (global variables) is a completely different thing from register_globals. Anyone who is spending enough time to secure their PHP scripts will likely spend a few seconds to avoid the need for register_globals.
Originally Posted by twhiting9275
If you're not familiar with global variables from a programming standpoint, here's a link to the Wikipedia article on it:
In PHP, register_globals allows any parameter passed to the script to be assigned to a global variable (including overwriting the values of existing global variables, hence the danger of this setting). Let's say you have this PHP script named exploit_me.php:
Now lets say you call this URL:
// Warning: never code like this in a register_globals environment
$include_file = "myinclude.inc";
// Note the lack of anything polling GET or POST variables explicitly.
My XSS script would then run on your server since you have register_globals enabled and I'm overwriting the include_file global variable with my own data.
While this is an obvious example, don't expect the this to be as obvious in many scripts. How do people know what variables you are using? Well most scripts people use are open source so you can just look at the source.
I hope this clears some misconceptions of register_globals vs. PHP global variables.