PHP superglobals as register globals workaround

My hosting company is upgrading those few remaining domains still running creaky old PHP 4 to PHP 5. That means me: I’ve been with them long enough that PHP 4 was the default when I set my websites up, and I never bothered to upgrade. It’s happening in about two weeks, but this week I decided to get ahead a bit — upgrade to PHP 5 myself and see what happens (read: see what breaks). My main concern was whether my ancient install of Movable Type would still run under PHP 5 (spoiler: yes), so I backed up my blogs and pulled the switch. Everything on the blog side still worked.

But it turns out that a number of my pages still used register globals, which are disabled in newer versions of PHP (or at least less ancient versions) for security reasons. The PHP Group: “When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.”

Without register globals, my contact forms and the Trails section, among other things, stopped working properly. Fortunately, I was able to get them working again quickly without major code rewrites, which is good because I’m a lousy coder. (This site is what you get when a writer thinks he can design web pages.) The workaround is to use superglobals like $_GET["var"] and $_POST["var"] — essentially, if I want to do something like burstall_pass.php?photo=1, I have to add $photo = $_GET["photo"]; at the appropriate point in the page. Which is what I did, and it works fine.

This is, shall we say, not new, but I’ve never been on the bleeding edge of web design.