example is best ?

with the url www . domain.com?yak=good , passed to a server ..

with register_globals = off

echo $yak; // prints nothing , as $yak is undefined
echo $_GET['yak'] ; // prints 'good' as the super_global $_GET['yak'] is created.

with register_globals = on

echo $yak; // prints 'good' as any _GET vars are automatically registered
echo $_GET['yak'] ; // still prints 'good' as the super_global $_GET['yak'] is created.


The recommended PHP configuration is now with register_globals = off (recommended by PHP not my opinion on the matter) on any platform.

this also applies to _POST , _COOKIE , _SESSION , _SERVER & _FILES data . Also the super_global _REQUEST contains all of the _POST,_COOKIE & _GET data

Most shared hosts are reluctant to switch to register_globals=off as this would break many pre-installed scripts and annoy a lot of users who have not yet thought to ask the question that you did !

Thank you, my "final question" is could I still use $_GET['yak'] to get a variables value from some one elses form, the same way as using $yak; with register_globals on?

The conern is pulling information from other sites forms, etc...

... and I am asking because Im at a host provider that has it off.

not quite sure what you mean ... if you mean siteA has a form which gets posted to a script on your server then only the settings on your server are of any concern.

Basically unless your PHP version is really old (<4.1.0) then just use $_GET['yak'] or $_POST['yak'] as then you can't go wrong , they are available regardless of register_globals configuration.

If you are unsure whether an incoming request is going to be POST or GET , you can use
<?php echo $_REQUEST['yak'];?>
as that covers them both.

<edit>beat ya Mordred by about a second I reckon</edit>

The answer is "yes".

But I think your view of the process is not correct. You don't get variables from other site's forms, it's rather that other site's forms submit data to your script on your server. The process is initiated on the other site, and PHP is capable to reach the data that was explicitly sent to your script, be it GET, POST, cookies... whatever.

$_GET basically gives you nothing more but array acces to that what's in the query string (everything right from the question mark in an URL).

Has the process become clearer now?

I guess I can say that, I have known how to work with this issue, but still do not understand why they have it off... I must say, I am a bit "dense" but what is the reason for even having it off, I do not see the security risk...

Unf, I got it. Life is short...