php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22979 session index names and same name variables prob even with register_globals off
Submitted: 2003-03-31 07:22 UTC Modified: 2003-03-31 07:35 UTC
From: mailinglist dot phpnet at hydras-world dot com Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.1 OS: *nix
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mailinglist dot phpnet at hydras-world dot com
New email:
PHP Version: OS:

 

 [2003-03-31 07:22 UTC] mailinglist dot phpnet at hydras-world dot com
I wasn't using session_register to register global variables in my code and all session access was through $_SESSION[] so the "register_globals = off" setting shouldn't affect my code, but it did!

I wrote all my code with the knowledge that register_globals defaults to OFF on most web-servers and that having the setting off is also more secure.

The problem comes about when having variable names the same as index names in the $_SESSION array and when they're not supposed to be set to the same thing.

e.g.

$ordernumber = $_SESSION['ordernumber'];
$ordernumber++;

This would have the effect of doing this too:
$_SESSION['ordernumber']++;

Not good!

The solution however was quite simple, and I just used upper case names as my $_SESSION index names.

so $_SESSION['ordernumber'] now becomes $_SESSION['ORDERNUMBER'].

I've confirmed this to be a bug on the *nix webserver that my ISP uses, but can't reproduce it with a default install in php 4.2.3 and 4.3.1 on my WinXP IIS5.1 setup.

To help you out, I added a php script to a test site that shows the problem, along with the output of a phpinfo() call.

Here's the script:

==== SCRIPT START ====

<?php

ob_start();
session_start();
?>
<html>
<body>
<?php

echo "Session Now: "; var_dump($_SESSION); echo "<br>";

$_SESSION['ordernumber'] = 5;
$ordernumber = $_SESSION['ordernumber'];

echo "ordernumber = $ordernumber<br>";
echo "Session Before: "; var_dump($_SESSION); echo "<br>";

$ordernumber++;

echo "ordernumber = $ordernumber<br>";
echo "Session After: "; var_dump($_SESSION); echo "<br>";

?>
<p>PhpInfo: <? phpinfo(); ?></p>
</body>
</html>

==== SCRIPT END ====

When the script is run on the ISP's web server this is the output:

Session Now: array(1) { ["ordernumber"]=> &int(6) } 
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> &int(5) } 
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> &int(6) } 

Notice the int(6) on the line above - BAD!

When the script is run on my system this is the output:

Session Now: array(1) { ["ordernumber"]=> int(5) } 
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> int(5) } 
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> int(5) } 

Notice the int(5) on the line above! - CORRECT!

here's a link to the script, so you can test it for yourselves:

http://www.loudretail.com/sessionproblem.php


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-31 07:32 UTC] rioter@php.net
as you can see register globals is on in your php.ini
as its not a bug in php its self marking as bogus



 [2003-03-31 07:35 UTC] mailinglist dot phpnet at hydras-world dot com
My ISP told my it was OFF, so i took them at their word.  I just noticed this myself and was heading back here to cancel this bug report.

Apologies
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC