php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44545 Numeric keys in sessions fail silently
Submitted: 2008-03-27 10:42 UTC Modified: 2008-03-27 12:46 UTC
From: info at concept47 dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.5 OS: Windows Xp sp2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: info at concept47 dot com
New email:
PHP Version: OS:

 

 [2008-03-27 10:42 UTC] info at concept47 dot com 
Description:
------------
trying to use numeric keys for sessions vars, fails, silently. This is bad and can lead to lost hours/money for developer. I am just asking for this sort of assignment to fail in a far more obvious manner.

Reproduce code:
---------------
$_SESSION['1234'] = "boooo!"

Expected result:
----------------
I expect the session variable to be stored or else fail miserably like this assignment would

$123 = "dummy!"

Actual result:
--------------
the session variable with a numeric key is never stored ... and it might take a developer a while to figure out why, as other session vars are stored just fine.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-27 11:30 UTC] jani@php.net 
RTFM: "The keys in the $_SESSION associative array are subject to the same limitations as regular variable names in PHP, i.e. they cannot start with a number and must start with a letter or underscore. For more details see the section on variables in this manual. "

Found at http://php.net/session
 [2008-03-27 11:31 UTC] jani@php.net 
And as this $_SESSION is "special" we can not add any errors when it's passed invalid data. You just have to _know_ this.
 [2008-03-27 12:46 UTC] info at concept47 dot com 
And as this $_SESSION is "special" we can not add any errors when it's
passed invalid data

--- can you elaborate more on this? because that it is what I don't understand.

Why will

$1234 = "me";

fail fantastically but ...

$_SESSION['1234'] = "me"

not.
 [2012-08-30 16:21 UTC] william at piecewise dot com 
I would have to agree. I had no idea about this rule for session vars and as a 
result lost about an hour and a half before I stumbled across this post.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 16 14:01:31 2025 UTC