php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63969 Storing PDO Statement Class in $_SESSION Corrupts all $_SESSION variables
Submitted: 2013-01-11 15:54 UTC Modified: 2013-01-14 23:51 UTC
From: tim_s_wiley at yahoo dot com Assigned:
Status: Not a bug Package: PDO related
PHP Version: 5.3.20 OS: Windows 2008
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tim_s_wiley at yahoo dot com
New email:
PHP Version: OS:

 

 [2013-01-11 15:54 UTC] tim_s_wiley at yahoo dot com
Description:
------------
Anytime i assign a new object instance of PDOStatement to a session variable the session text file goes to zero byte and has no session information inside.  The following code will produce the issue.  If you comment out the 2nd $_SESSION assignment which is the PDO issue the session will log its information to the sess text file properly and works as expected.  Here is very simple php example that will produce the issue:

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>PDO Statement Session Test</title>
</head>
<body>
<?php
    $_SESSION['regularVariable'] = 'Regular Stuff'; // Works just fine
    $_SESSION['pdoVariable'] = new PDOStatement; // zeros the sess* file
?>
</body>
</html>



Test script:
---------------
<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>PDO Statement Session Test</title>
</head>
<body>
<?php
    $_SESSION['regularVariable'] = 'Regular Stuff'; // Works just fine
    $_SESSION['pdoVariable'] = new PDOStatement; // zeros the sess* file
?>
</body>
</html>

Expected result:
----------------
Test #1 - As is will produce a zero byte php sess* file(No variable information will be logged in the file and thus not available to follow-up sessions if there were session variables stored they are lost).
  
Test #2 - Comment out the pdoVariable line will properly store the other $_SESSION variables in the sess* file.  


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-12 01:16 UTC] arpad@php.net
-Status: Open +Status: Analyzed
 [2013-01-12 01:16 UTC] arpad@php.net
PDOStatement throws an exception when you try to serialize it, so it naturally can't be stored in the session, and this borks the session writing process in a place which can't be handled nicely without significant overhead for the normal case.

You can see a more useful error message by calling session_write_close() yourself, or just serialize(new PDOStatement); directly.

Leaving this open for PDO devs in case it can actually be serialized, but I suspect not.
 [2013-01-14 23:51 UTC] johannes@php.net
-Status: Analyzed +Status: Not a bug
 [2013-01-14 23:51 UTC] johannes@php.net
No, we can't serialize PDO or PDOStatement objects - those are associated with a network connection, there ios no way to keep those between serialisation.

Bailing out with an exception is the only thing we can do, all other approaches are equally bad ...
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 09:01:29 2024 UTC