Merits of register_globals

Anon

I'm intersted in opinions about having register_globals set to Off/0.

For me this becomes a huge hassle since you have to access everything via the $HTTP_POST/GET_VARS stuff.

The reasons given for having it off is to not polute the namespace. Collision isn't a problem due to my naming conventions. I don't know if there is more or less overhead either way.

Some have said it's more secure but I don't know enough to have a good opinion on that.

I like to be security conscious but this one is on the margins of being 'too inconvenient'.

(I tried to search the forums but the search just gives me an error)

polson

Another reason to use predefined variables such as HTTP_POST_VARS is that whether register_globals is on or off, the code will work regardless.

It's not any more secure to have register_globals off, that's a somewhat common misconception.

[deleted]

Personally I much prefer to keep vars from any source together in their own place. The HTTP*VARS are perfect for that.

If you use register globals you can access the vars outside the HTTP*VARS arrays, but that also means you loose the link between the var and it's origin.
Was this a POST/GET var? cookie var? session var?
So you move to naming conventions and you end up with variable names like $postvar_thisvar, which is well... irritating, especially if you want to use a postvar in a url, becuase then the postvar becomes a getvar, and changes names...

With the HTTPVARS you can also simply pass the entire array to functions, saving you lots of typing.
If you have a form and you want to send all the data from one page to another,
the HTTPVARS are great because you can simply serialize it, or loop through it and create hidden fields for all it's entries.