Understanding how PHP file worked (auto-decode of query string?)

Question

I am debugging a PHP file that I've never seen operational before (not my code), but supposedly worked.

Sample code snippet of myfile.php:

<html>
<body>
<p>
<?
    echo $Year;
?>
</p>
</body>
</html>

From the way things are wired, it looks like the code is setup to pull Year from the query string (HTTP GET): http://server.com/myfile.php?Year=2010

This supposedly worked before, but doesn't anymore.

Is there a PHP setting to control this? Was this a 'feature' that got disabled in PHP version? I have never seen GET variables used outside of $_GET

Answer 1

It looks like to previous server was set with register global on

http://www.php.net/manual/en/ini.core.php#ini.register-globals

http://php.net/manual/en/security.globals.php

Note: This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

Instead of altering the servers config to support a deprecated and unsafe feature, fix your code by accessing the $_GET global:

<?php 
$Year = isset($_GET['Year']) ? $_GET['Year'] : null;
?>

<html>
<body>
<p>
<?php
    echo htmlspecialchars($Year);
?>
</p>
</body>
</html>

Answer 2

The PHP directive register_globals would turn on/off a facility to decode the query string into global variables of the same name automatically. This was, in many people's opinions, a dreadful idea, since variables could appear with no obvious origin or value.

It once defaulted to on, but was changed to off in PHP 4.2. You could still enable it in PHP.INI. It's been deprecated as of PHP5.3, and removed in PHP 5.4.

If your code was working but is not now, look for a change in version (to PHP 5.4), or check what's in php.ini.

In any case, if you're looking at the code, now might be a good time to change to references to $_GET, and disable register_globals