Is using register_globals() worth the hassle?

I just spent a half-hour converting the easy scripts (<5 variables passed in) to work with register_globals off.

The way I'm doing it is like this:
$neededVar = $_REQUEST['varname'];

But I'm really starting to doubt the point of regster_globals(). I saw that one example, where a user could easily inject a false verification. However, such an attack is defeated if you're used to C++ or Java, where you must initialize variables. Thus, they can inject whatever they want, but you'll be redefining the vars to something, or mostly likely to an empty string.

$authenticated=false;

if ( check login here )
$authenticated=true;

If ( $authenticated )
{
echo "here ya go...";
}

Basically, why burn extra hours, when you can fix the bad coding, with a line that takes a few seconds to type?

Well, I agree with what you are saying. If you write secure code (and you KNOW you do), then there really isn't a reason to make the switch. I think this paragraph from the 4.1.0 release notes sums it up well:


That's what the problem is, too many people are coding sloppy. And because of that there are gaping security holes out there....

For an easy solution, see my code snippet in the Zend code gallery (register_globals patch) in the HTTP > Forms category.

It still keeps the script secure, without having to worry about mass patching - just insert the script (2 lines) into each page at the top and you're done...

Ah, I already "patched" my code up:

foreach ( $_REQUEST as $key => $val )
$$key = $val;


Thanks though.