I know it's recommended to turn off register_globals, but some websites on my server needs to turn register_globals to on.

So I use "php_flag register_globals on" into the .htaccess of the account who needs that.

I want to know if it's dangerous if I leave this command on some websites (others have not this 'add') because in my php.ini , register_global is off.

Thx.

register_globals on can be a security issue with poorly written scripts. However if the script won't run with them off then you need them on.

Yes but many people says to turn it off to enlarge security of the server. So if I put this flag on some accounts, is it dangerous ?

It'll allow you to pass variables between sites and scripts... It's up to you, really. A poorly written script may be vulnerable to having private information extracted from a global variable.

A well-written script is not vulnerable -- however, I feel a well-written script would not require a global variable .

exactly!

Yes Ok. My english is not good, but if I understand, the response is yes, it's dangerous ? Correctly ?

It depends.

You have to answer this: do your scripts store private information in globals -- information that cannot be read by other scripts?

If so, then do not enable registar_globals.

If this does not concern you, then it is okay.

If you mean if it is dangerous for your server, the answer is that is as dangerous as giving php access to your customers. There must not be any problem with that.

The only issue is that if your users' scripts are poorly written, their websites can be in a serious danger but your server should not.

Emm.. and please, excuse too my poor english