From Joomla! Documentation
register_globals is a PHP environment setting that has been the subject of controversy for some time. Older versions of PHP often have this variable set to on and that setting is known to leave a site vulnerable to hacking. Further information is available at the PHP website. Current Joomla! releases do not require this setting to be on, and best practices dictate that it should be changed to off. (Joomla! 1.0.x releases also have a related emulator for this setting, which was implemented for backward compatibility with older components and extensions. It is generally preferred not to enable this capability.) If you have a component that requires this setting, you should look for an update, or find an alternative component. This setting was deprecated in PHP 5.3 and removed in PHP 5.4. If you on a secure version of PHP you shouldn't need to be worried and can skip the rest of this tutorial
How do I find the state of register_globals on my Joomla! install?
J 1.5 Log in to Joomla! administration, go to Help -> System Info, click on the PHP Settings tab, and look for the Register Globals entry.
J1.6+ Log in to Joomla! administration, go to Site -> System Information, click on the PHP Settings tab, and look for the Register Globals entry.
Can I change it?
Yes, maybe. Depending on how much control you have over your server, there are several approaches to addressing this setting.
If you have complete control of your server, then you probably want to make sure that your main PHP configuration file (which is typically found in /usr/local/lib/php.ini) has the directive register_globals set to 0(zero).
If you're in a shared web environment, most likely your hosting provider will not let you modify the global php.ini file. You have a couple of options in this case.
Where do I change it?
Possibly the easiest thing to do, is to ask your hosting provider to make this change for your domain. (Often, this is accomplished by logging a technical support request.) But not all providers will make this change for you. So you may not be so lucky. The good news is that there are likely other options available to you, and here are some of them.
Local php configuration file
If you have access to your web site's root directory, you should be able to include your own copy of a php.ini file. Your copy only needs to include the settings that you want to alter from the global settings.
Change to .htaccess
Another option is to introduce the preferred setting by making an entry in the .htaccess file at the root directory of your web site. In this case, you should add the following line to .htaccess
- Important: This method is only suitable for the Apache PHP module and will not work if PHP runs in CGI-mode.
php_flag register_globals off
Joomla's Global Register Emulator
In the case where you have an extension that absolutely needs to have register_globals on, Joomla! 1.0.x provides an alternative approach that does not require a change to your global settings. The globals.php file in your site's root directory has an entry that lets Joomla! emulate a change to the register_globals site setting. You will find a line that looks as such:
define( 'RG_EMULATION', 0 );
You can change the zero to a one, if you want Joomla to emulate register_globals = on.