php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #14540 sessions and register_globals
Submitted: 2001-12-15 22:32 UTC Modified: 2001-12-16 08:56 UTC
From: bilo at bilo dot dnsalias dot net Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.1.0 OS: linux 2.2.18 - glibc 2.1.3
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bilo at bilo dot dnsalias dot net
New email:
PHP Version: OS:

 

 [2001-12-15 22:32 UTC] bilo at bilo dot dnsalias dot net 
There is something I don't understand.

I've updated to v4.1.0 and noticed that the recommended
configuration defaults register_globals to *Off*. I
understand the security reasons behind this choice. I've
tried to run one of my projects with the new interpreter
and the recommended settings (register_globals=Off). After
resolving a plenty of warnings, I noticed that things were
not working as I expected.

This is a sample code:

<?
    session_register('PIPPO');
    if (empty($PIPPO)) {
        $PIPPO = "ONE";
    } else {
        $PIPPO = "TWO";
    }

    $sidfile = "/tmp/sess_" . $_COOKIE['PHPSESSID'];

    echo "Session file $sidfile contains: <pre>";
    readfile($sidfile);
    echo "</pre>";

    echo "The value is: $PIPPO<br>";
?>


When I run and reload the script I get:

    Session file /tmp/sess_87...blahblah...3e contains:

    PIPPO|s:3:"ONE";maxrating|N;

    The value is: ONE

Why the first run sets the session variable to "ONE" and
the second run can't get it's value? In the latter case I
guess the answer is: "because you have to access it through
$HTTP_SESSION_VARS", but ... shouldn't it had to be the
same in the former case?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-16 05:15 UTC] derick@php.net 
Hello,

let me explain this,
 [2001-12-16 05:32 UTC] derick@php.net 
Oops,

here is the explanation:

the function 'session_register()' 'registers' a variabele to a session. In other words, when the script ends, the value of this variabele is stored with the session.

On the first run $PIPPO is empty (of course), and it is set to 'ONE'.
At the end of the script, the value is stored in the session file.

At the second run, (PIPPO is still registered to the session, so session_register has no effect), empty($PIPPO) evalutes to TRUE again, because the value is in $_SESSION['PIPPO'], and thus PIPPO is set to 'ONE' again.
At the end of the script, the value of $PIPPO ('ONE') is saved to the session again.

You can see more of this behavior, if you set error_reporting(E_ALL) to on in the script.

Hope this explained it,
regards,

Derick
 [2001-12-16 08:56 UTC] bilo at bilo dot dnsalias dot net 
As usual, thanks a lot for the quick and complete answer, and expecially for all your great work!

Coming to my question: yes, that's actually the behaviour I described. What I mean is just that's a little tricky and maybe a little incoherent. I think that a variable should be accessed the same either when I set it and when I get it.
If it is not global it shouldn't be possible to set it as such.
Maybe it should be somehow documented, since it's not so obvious!
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 05:00:01 2025 UTC