In the study guide, they mention that REGISTER_GLOBALS and MAGIC_QUOTES_GPC must be set to off. So let’s go over what those are and why they might have wanted it to be set to off.

REGISTER_GLOBALS

    If OFF, *no* variables passed from $_GET, $_POST and $_COOKIES will be created in the global namespace. Here is an excerpt from IBM’s website:

register_globals is not, in and of itself, a security hazard. It does, however, make it harder to trace user input and harder to make sure your application is secure. Why does it do this? Because if register_globals is on, any variable passed to the PHP script by GET, POST, and COOKIE will be created in the global namespace, as well as in the $_GET, $_POST, or $_COOKIE arrays.

When is this useful or not? I don’t quite understand it. Any input is welcome.

MAGIC_QUOTES_GPC

     According to the PHP manual, magic_quotes_gpc() sets the state for GPC (Get/Post/Cookie) operations. When magic_quotes_gpc() is ON, all ’ (single-quote), ” (double quote), \ (backslash) and NUL’s are escaped with a backslash automatically. With magic_quotes_gpc() OFF, you have to learn about the addslashes() and stripslashes() functions in order to escape data yourself. However, the zend study guide doesn’t mention anything about data that comes from a database like MySQL or even an external script executed by exec(). For database, if magic_quotes_runtime is ON then data coming from the DB will be escaped. There might be a question on the exam about data coming from the database. That data would be escaped.