The register_globalsdirective:

该register_globals指令：

register_globalsis an internal PHP setting which registers the $_REQUESTarray's elements as variables. If you submit a value in a form, via POSTor GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.

register_globals是一个内部 PHP 设置，它将$_REQUEST数组的元素注册为变量。如果您通过POST或提交表单中GET的值，则该输入的值将自动通过 PHP 脚本中的变量访问，以输入字段的名称命名。

In other words, if you submitted a form containing a usernametext field, the expression ($username === $_POST['username'])at the very beginning of the script would return true.

换句话说，如果您提交了一个包含username文本字段的表单，($username === $_POST['username'])脚本开头的表达式将返回true.

Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.

它的恶名归因于它打开了许多安全漏洞，特别是对于从安全角度来看不遵循严格编码风格的人。

Classic example:

经典例子：

if(user_is_admin($user))
{
    $authorized = true;
}

if($authorized)
{
    // let them do anything they want
}

Now, if you visited that script in a web browser and the server had register_globalson, you could simply append ?authorized=1to the URL and god-mode would be enabled!

现在，如果您在 Web 浏览器中访问该脚本并且服务器已register_globals打开，您只需附加?authorized=1到 URL即可启用上帝模式！

The globalkeyword:

该global关键字：

globalis a keyword has little to do with register_globals.

globalis 关键字与 register_globals 关系不大。

Here is an example of its use:

以下是它的使用示例：

$foo = 'bar';

baz();

function baz()
{
    echo $foo; // PHP warns you about trying to use an uninitialized variable
               // and nothing is output (because $foo doesn't exist here)
}

buzz();

function buzz()
{
    global $foo; // Enables the use of $foo in this scope

    echo $foo; // Prints 'bar' to screen
}

Everyone mentioning GET, POST, REQUEST, COOKIEhas effect on register_globals=on.

每个人都提GET，POST，REQUEST，COOKIE有效果register_globals=on。

I'm just writing this to let you know that -

我写这个只是想让你知道——

$_SESSIONwill be affected aswell because of register_globals=on.http://php.net/manual/en/security.globals.php

$_SESSION也会受到影响register_globals=on。http://php.net/manual/en/security.globals.php

That means - if you do as following -

这意味着 - 如果你按照以下方式做 -

$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];

The output will be asd.

输出将为asd.

And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.

这将导致严重的安全问题和错误。我最近在使用 Hostgator 共享托管时遇到了这样的坏事。默认情况下，他们有register_globals=on.

When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.

当 register_globals=on 时，通过 GET 或 POST 或 COOKIE 传递的任何内容自动在代码中显示为全局变量，这可能会产生安全后果。

I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.

即，您单击 url test.php?access_level=100，您将在 PHP 中获得 $access_level = 100。

When you do global $somevar - you are making your own global variable, which usually is not a big issue.

当您执行 global $somevar 时 - 您正在创建自己的全局变量，这通常不是什么大问题。

The register_globals setting controls how you access form, server, and environment. variables.

register_globals 设置控制您访问表单、服务器和环境的方式。变量。

register_globals=On :

register_globals=开：

You can access form attribute without Global Arrays ( GET[], POST[] & REQUEST[] )

您可以在没有全局数组的情况下访问表单属性（ GET[], POST[] & REQUEST[] ）

example:http://www.example.com/one.php?myinput=abc

示例：http : //www.example.com/one.php?myinput=abc

You can access directly in one.php

可以直接在one.php中访问

echo $myinput; // abc

register_globals=Off :

register_globals=关：

You have to access all attributes only by Global Arrays.

您只能通过全局数组访问所有属性。

example:http://www.example.com/one.php?myinput=abc

示例：http : //www.example.com/one.php?myinput=abc

You have to access in one.php

你必须在 one.php 中访问

echo $_GET['myinput']; //abc

As I understand it, if you have register globals turned ON, then anything passed in a GET or POST gets automatically translated into a variable in PHP.

据我了解，如果您打开了注册全局变量，那么在 GET 或 POST 中传递的任何内容都会自动转换为 PHP 中的变量。

for example:

例如：

http://www.domain.com/vars.php?myvar=123

without any further coding this would automatically get turned into a variable available to the rest of your php code

没有任何进一步的编码，这将自动变成一个变量，可用于您的 php 代码的其余部分

$myvar  //with a value of 123

With registered globals OFF, data passed in via GET or POST is NOT automatically translated into a variable, rather, you need to request it using the Superglobals $_GET, $_POST, and $_REQUEST, etc.

在注册全局变量关闭的情况下，通过 GET 或 POST 传入的数据不会自动转换为变量，相反，您需要使用超级全局变量 $_GET、$_POST 和 $_REQUEST 等来请求它。

http://php.net/manual/en/security.globals.phpprovides some further information as to the security implications of this.

http://php.net/manual/en/security.globals.php提供了一些关于此安全含义的进一步信息。

Others can feel free to correct me if I'm wrong.

如果我错了，其他人可以随时纠正我。

edit:

编辑：

in relation to your question re global $user_id;, this does not create a 'global' in the sense of 'register_globals'. It simply alters the scope of a variable within the PHP code.

关于您的问题 re global $user_id;，这不会创建“register_globals”意义上的“全局”。它只是改变了 PHP 代码中变量的范围。

For information re scope, see: http://php.net/manual/en/language.variables.scope.php

有关范围的信息，请参阅：http: //php.net/manual/en/language.variables.scope.php

Register Globals :

注册全局变量：

register_globals The feature causes data passed to a PHP script via cookies or GET and POST requests to be made available as global variables in the script.

register_globals 该功能使通过 cookie 或 GET 和 POST 请求传递给 PHP 脚本的数据可用作脚本中的全局变量。

Default Value : "0"

默认值：“0”

Changeable : PHP_INI_PERDIR

可变：PHP_INI_PERDIR

register_globals is affected by the variables_order directive.

register_globals 受 variables_order 指令的影响。

NOTE:

笔记：

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

此功能自 PHP 5.3.0 起已弃用，自 PHP 5.4.0 起已移除。

Global variables in php are variables that are always accessible. They are also known as superglobals. They are built in variables that are always available regardless of the scope.

php 中的全局变量是始终可以访问的变量。他们也被称为超全局变量。它们内置于变量中，无论作用域如何，始终可用。

There are nine superglobal variables in PHP. Some of these are relevant to this discussion.

PHP 中有九个超全局变量。其中一些与本次讨论有关。

1. $_REQUEST
2. $_POST
3. $_GET
4. $_COOKIE

1. $_REQUEST
2. $_POST
3. $_GET
4. $_COOKIE

Now, let's focus on the $_REQUESTsuperglobal. It is used to collect data after submitting an HTML form by user using the POSTmethod.

现在，让我们关注$_REQUEST超全球。它用于在用户使用该POST方法提交 HTML 表单后收集数据。

$_POSTand $_REQUESTcould be used loosely interchangeably. But $_REQUESTalso contains $_GETand $_COOKIEalong with $_POSTso you are never sure if your data came from a web form.

$_POST并且$_REQUEST可以松散地互换使用。但$_REQUEST也包含$_GET和$_COOKIE伴随，$_POST因此您永远无法确定您的数据是否来自网络表单。

Now, as pointed out by @Tim register_globalsis an internal PHP setting which registers the $_REQUESTarray's elements as variables. It is also known as a flagin your php setting. It is typically set in the PHP configuration file known as php.inifile. This setting can have two values.

现在，正如@Tim 所指出的，register_globals是一个内部 PHP 设置，它将$_REQUEST数组的元素注册为变量。它flag在您的 php 设置中也称为 a 。它通常在称为 file.php 的 PHP 配置文件中设置php.ini。此设置可以有两个值。

1. “on”
2. “off”.

1. “在”
2. “离开”。

An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.

“on”值意味着 PHP 将自动为许多服务器变量以及查询字符串参数创建全局变量。这不好，并且存在安全风险。