PHP: GET-data automatically being declared as variables

Question

Take this code:

<?php
if (isset($_POST['action']) && !empty($_POST['action'])) {
    $action = $_POST['action'];
}

if ($action) {
    echo $action;
}
else { 
    echo 'No variable';
}
?>

And then access the file with ?action=test Is there any way of preventing $action from automatically being declared by the GET? Other than of course adding

&& !isset($_GET['action'])

Why would I want the variable to be declared for me?

Answer 1

Check your php.ini for the register_globals setting. It is probably on, you want it off.

Why would I want the variable to be declared for me?

You don't. It's a horrible security risk. It makes the Environment, GET, POST, Cookie and Server variables global (PHP manual). These are a handful of reserved variables in PHP.

Answer 2

Looks like register_globals in your php.ini is the culprit. You should turn this off. It's also a huge security risk to have it on.

If you're on shared hosting and can't modify php.ini, you can use ini_set() to turn register_globals off.

Answer 3

Set register_globals to off, if I'm understanding your question. See http://us2.php.net/manual/en/language.variables.predefined.php

Answer 4

if you don't have access to the php.ini, a ini_set('register_globals', false) in the php script won't work (variables are already declared) An .htaccess with:

php_flag register_globals Off

can sometimes help.

Answer 5

You can test, whether all variables are declared properly by turning the PHP log-level in PHP.INI to

error_reporting  =  E_ALL 

Your code snippet now should generate a NOTICE.

Answer 6

At some point in php's history they made the controversial decision to turn off register_globals by default as it was a huge security hazard. It gives anyone the potential to inject variables in your code, create unthinkable consequences! This "feature" is even removed in php6

If you notice that it's on contact your administrator to turn it off.