New from IBM developerWorks, there's thist first part in their "Auditing PHP" series - Understanding register_globabls.

Chances are that at some point you've had a concern about the security of a PHP application. When you're faced with an auditing task, do you know what to look for? This series walks you through PHP and helps you understand it enough to know what you're looking for when conducting a security audit. Part 1 walks you through understanding the register_globals setting.

This isn't as much of an issue as it used to be with PHP4 (now it comes turned off by default), but there still are tons of scripts out there that make inappropriate use of globals defined because of this setting. For those that aren't exactly sure, when register_globals is on, all of the values in the superglobals arrays (Ex. $_POST, $_GET, $_COOKIE, etc) become global to the whole script. So, if you have it on and post a form, the value in the text field "foo" will be in $foo. Needless today, this is a *very* dangerous way to code...security holes all over the place.

So, for more information on this issue, check this tutorial out today!