|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2003-08-16 23:52 UTC] sniper@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 03:00:01 2025 UTC |
Description: ------------ When register_globals is on, and after a session has already been started, $_SESSION values can be changed indirectly. $_SESSION['userID'] = 'carl'; $userID = $_SESSION['userID']; $userID = 'HAXOR'; # now $_SESSION['userID'] is 'HAXOR' To me, this seems like a bad thing. Happens under Mac OS 10.2, w/ PHP 4.3.2 Happens under Win2K w/ PHP 4.3.2 Doesn't happen under Linux w/ PHP 4.2.3 Reproduce code: --------------- <? # Demonstrates that $_SESSION can be changed indirectly. # the alleged bug activates when register_globals is ON. # set a userID in the session session_start(); $_SESSION['userID'] = 'carl'; # copy userID into a global variable, $userID $userID = $_SESSION['userID']; # change only $userID print "before: ". $_SESSION['userID'] ."<br>\n"; $userID = 'HAXOR'; print "after: ". $_SESSION['userID'] ."<br>\n"; if ( $_SESSION['userID']=='HAXOR' ) { print "bad"; } # seems very wrong that $_SESSION['userID'] was changed ?> Expected result: ---------------- After I run the script and reload it once, I should not see "bad" because changing $userID should not change $_SESSION['userID']. Actual result: -------------- bad