php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24270 unset($var) doesn't unset session value with register_globals
Submitted: 2003-06-20 11:53 UTC Modified: 2003-06-23 19:14 UTC
From: kjohnson at zootweb dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.2 OS: Solaris 8 & 9
Private report: No CVE-ID: None
 [2003-06-20 11:53 UTC] kjohnson at zootweb dot com
Description:
------------
This is related to bug #19586 and only applies when register_globals is "on". If a global variable is registered to the session, then an unset() on that global variable will unset it on the current page, but its original value is restored on the next session_start(). I expected it to also be unset in the session, which is how it behaved in older versions of PHP. The workaround provided in bug #19586, unset($var, $_SESSION['var']), does work. However, this means that older code written for register_globals "on" may behave differently when moved to newer PHP versions, a subtle bug. It would be helpful if the code was fixed or the documentation updated to make folks aware of this potential problem.

Reproduce code:
---------------
file: test.php
<?
session_start();
$a = 'zero';
session_register('a');
unset($a);
?>
<br><a href='./test2.php'>next</a>

file: test2.php
<?
session_start();
echo "a is $a<br>";
?>

Expected result:
----------------
I expected $a to not have a value on test2.php, which is the case for this same code running on PHP 4.0.6.

Actual result:
--------------
On the second page, test2.php, $a has the value 'zero', as originally assigned on the first page.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-20 14:01 UTC] derick@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is expected behavior though. session_register only makes a reference to the global variable. When you unset it, the session still holds the 2nd reference to the data, and thus is it still set.
 [2003-06-20 14:42 UTC] kjohnson at zootweb dot com
Thanks for your response. BTW, the Summary should read "unset($var) doesn't unset session value with register_globals on".

I respectfully disagree that this is expected behavior. It may be expected behavior to programmers working on the source code of PHP, but it isn't expected behavior for consumers of PHP. PHP consumers do not know about the low-level details of how session_register works, nor should they have to. At a high level, older code will now behave differently under 4.3.x. It will be particularly confusing to PHP consumers because *assigning* to the global also assigns to $_SESSION, and vice-versa; the two appear to be the same variable. However, unset() does not work in the same fashion as assignment; it becomes a special case that will need to be remembered, and the code updated when it is moved to a more current PHP version.

Thanks again for your response, and your work on PHP! I'm done.
-Kirk
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 00:01:28 2024 UTC