Take this code:

if (isset($_POST['action']) && !empty($_POST['action'])) {
    $action = $_POST['action'];

if ($action) {
    echo $action;
else { 
    echo 'No variable';

And then access the file with ?action=test Is there any way of preventing $action from automatically being declared by the GET? Other than of course adding

&& !isset($_GET['action'])

Why would I want the variable to be declared for me?

+24  A: 

Check your php.ini for the register_globals setting. It is probably on, you want it off.

Why would I want the variable to be declared for me?

You don't. It's a horrible security risk. It makes the Environment, GET, POST, Cookie and Server variables global (PHP manual). These are a handful of reserved variables in PHP.

Thank you for the answer, it's really what I've been looking for. But is my example the only thing register_globals affects?
I posted a bit more in the answer above -- it affects environment, get, post, cookie and server.
+4  A: 

Looks like register_globals in your php.ini is the culprit. You should turn this off. It's also a huge security risk to have it on.

If you're on shared hosting and can't modify php.ini, you can use ini_set() to turn register_globals off.

Lucas Oman
+2  A: 

Set register_globals to off, if I'm understanding your question. See http://us2.php.net/manual/en/language.variables.predefined.php


You can test, whether all variables are declared properly by turning the PHP log-level in PHP.INI to

error_reporting  =  E_ALL

Your code snippet now should generate a NOTICE.

Johannes Hädrich
+1  A: 

At some point in php's history they made the controversial decision to turn off register_globals by default as it was a huge security hazard. It gives anyone the potential to inject variables in your code, create unthinkable consequences! This "feature" is even removed in php6

If you notice that it's on contact your administrator to turn it off.

+2  A: 

if you don't have access to the php.ini, a ini_set('register_globals', false) in the phpscript won't work (variables are already declared) An .htaccess with:

php_flag register_globals Off

can sometimes help

Bob Fanger