php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51120 If session var is NULL, value will be overwritten by global with same name
Submitted: 2010-02-23 08:30 UTC Modified: 2010-02-23 18:57 UTC
From: antonio04 at gmail dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.3.1 OS: FreeBSD 7.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: antonio04 at gmail dot com
New email:
PHP Version: OS:

 

 [2010-02-23 08:30 UTC] antonio04 at gmail dot com 
Description:
------------
When you have a session variable whose whose session array key is 
defined but with a NULL value, this variable acts as if register_globals 
were enabled, i.e. any value set to a global variable of the same name 
is stored in the session as this key's value.

Once the session variable's value has been changed to something not 
null, this behavior ceases.

A cursory search in the archives shows that this issue was categorized 
as a bogus bug report six years ago (#28482), but the reason given does 
not make sense, as the session variable key certainly does exist and 
acts unexpectedly when initialized to NULL.

Thanks!

Reproduce code:
---------------
<?php
/* Script 1 */
session_start();
init_set('register_globals', 0);
$_SESSION['foo'] = NULL;
$foo = 'bar';
?>

<?php
/* Script 2 */
session_start();
var_dump($_SESSION['foo']);
?>

Expected result:
----------------
Script 1: 

Script 2: 
Notice: Undefined index: foo in /home/www/interpals/test.php on line 3
NULL

Actual result:
--------------
Script 1:

Script 2:
string(3) "bar"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-23 08:42 UTC] antonio04 at gmail dot com 
Sorry, there was a typo in the reproduce code -- please check this 
instead:

<?php
/* Script one */
ini_set('register_globals', 0);
session_start();
$_SESSION['foo'] = NULL;
$foo = 'bar';
?>

Then view the second script:
<?php
/* Script two */
session_start();
var_dump($_SESSION['foo']);
?>
 [2010-02-23 10:33 UTC] antonio04 at gmail dot com 
Here are the expected/actual results: 

Expected result:
----------------
Script 1: 

Script 2: 
NULL

Actual result:
--------------
Script 1:

Script 2:
string(3) "bar"
 [2010-02-23 12:55 UTC] jani@php.net 
For starters, you can't set register_globals in script. Hence there's no bug but expected (bad) behaviour on having register_globals = On. Switch it off and all is well. :)
 [2010-02-23 13:07 UTC] antonio04 at gmail dot com 
Thanks for your quick response.

Sorry, I should have mentioned that register_globals is off in php.ini.  
I included the ini_set line to illustrate that point, but I suppose 
that's moot, since you can't set it via ini_set =)

However, the problem is still there... can you please try to reproduce 
it?
 [2010-02-23 13:13 UTC] antonio04 at gmail dot com 
Just to confirm, register_globals is definitely off -- both as reported 
by phpinfo() as well as the following snippet:

<?php
echo 'register_globals = ' . ini_get('register_globals') . "\n";
?>

Which displays the following: 

register_globals =
 [2010-02-23 18:57 UTC] antonio04 at gmail dot com 
On further research, this seems due to the session.bug_compat_42 
bug/"feature".  Turning this setting off in php.ini has resolved the 
issue. Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Nov 23 01:00:01 2025 UTC