For the second part of your question. If you can use .htaccess files then you can enable/disable register globals on a per directory basis with:
php_flag register_globals on
or
php_flag register_globals off
As for my thoughts of running with it on. It depends on how the application is coded. If coded properly, running with register globals on isn't a big deal, but most applications don't quite cut it in this regard.
Here's the problem. Say you have a little script that looks like this:
<br /><?<br /><br />$a = 1;<br />$b = 2;<br /><br />if ($a + $b = 4) {<br /> $c = 1;<br />}<br /><br />if ($c == 1) {<br /> echo "Hey, my math sucks, cuz 1 + 2 does not equal 4!";<br />}<br />?><br />Now, normally what you'd expect to happen is nothing. Since $a + $b never equals 4 that echo statement will never be executed. But, with register globals on, all somebody would have to do would be to call your script like this:
http://www.yourdomain.com/scriptname.php?c=1That injects the value for $c right into your script. Even though bit of code that sets $c in your script never gets executed. The problem is, that $c is never predefined and this is the problem with alot of scripts. Properly coded, that script would look like this:
<br /><?<br /><br />// Predefine some variables<br />$c = 0;<br /><br /><br />$a = 1;<br />$b = 2;<br /><br />if ($a + $b = 4) {<br /> $c = 1;<br />}<br /><br />if ($c == 1) {<br /> echo "Hey, my math sucks, cuz 1 + 2 does not equal 4!";<br />}<br />?><br />So now, even if register globals are on and someone tries to pass $c via the url, the script sets it to 0 at the beginning so that echo line will never be executed.
Hopefully, that makes a bit of sense. I can program but I can't explain things worth a pile of beans
