php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22245 Unserialize Problem with References
Submitted: 2003-02-16 21:29 UTC Modified: 2003-08-11 14:40 UTC
Votes:3
Avg. Score:3.7 ± 1.9
Reproduced:0 of 1 (0.0%)
From: goth at php-resource dot de Assigned: sas
Status: Closed Package: Session related
PHP Version: 4.3.3RC2-dev, 5.0.0b2-dev OS: *
Private report: No CVE-ID:
 [2003-02-16 21:29 UTC] goth at php-resource dot de
Hello,

I've got a Problem unserializing variables which are a reference. An to me it seems to be a bug ... !

Example:

session_start();
$_SESSION["A"]=10;
$_SESSION["B"]=&$_SESSION["A"];

is correctly serialized to:
A|i:10;B|R:1;

I am happy ... ;)

But if I call this session again ... maybe the next page PHP seems to loose the information that B was a reference.

Example:
session_start();
echo "BEFORE: A=".$_SESSION["A"]."<br />";
echo "BEFORE: B=".$_SESSION["B"]."<br />";
$_SESSION["A"]++;
echo "AFTER: A=".$_SESSION["A"]."<br />";
echo "AFTER: B=".$_SESSION["B"]."<br />";

It results to:

BEFORE: A=10
BEFORE: B=10
AFTER: A=11
AFTER: B=10

where I thought of A and B having the same value ... for B beeing a reference to A ...

@sniper: Please don't answer ... your arrogant (and almost dumb) answers cause me one heart-attack after the other ... !!!!!!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-17 07:19 UTC] goth at php-resource dot de
Hello,

probably a hint:

my php4-STABLE-200302071830 works fine ...

php430 does not ... so as php4-STABLE-200302162230
 [2003-05-20 17:38 UTC] sas@php.net
Not reproducible. I tried this with 4.2.3, 4.3.1 and current 4_3 CVS. The references between $_SESSION entries are never reestablished. 

Additionally, I tried a cvs checkout -r PHP_4_3_0 -D 2/7/2003 with the same negative result.

So, are you absolutely sure that you have some code where this works? Did you use register_globals = on?
 [2003-05-20 17:53 UTC] goth at php-resource dot de
Yes I am very sure that php4-STABLE-200302071830 worked properly with the stated code above ... !

Another Question ... what does R:1 mean in this serialization??

A|i:10;B|R:1;
 [2003-05-26 21:55 UTC] gschine at middlebury dot edu
we have had extensive experience with this, and it 
seems that the above bug only occurs while 
register_globals is OFF. when it's on everything works 
as expected.
 [2003-07-12 23:34 UTC] sniper@php.net
Even as you think I'm arrogant and dumb, I'm marking this as verified. (In hope you really get a heart-attack..>:)

Here's a complete test case script:

<?php

session_start();

if (isset($_GET['destroy'])) {
        session_destroy();
        header("Location: {$_SERVER['PHP_SELF']}");
        exit();
}

echo "register_globals: ", ((ini_get('register_globals')) ? 'On' : 'Off'), "<br />";

if (!isset($_SESSION["A"]) && !isset($_SESSION["B"])) {
        $_SESSION["A"]=10;
        $_SESSION["B"]=&$_SESSION["A"];
}

echo "BEFORE: A=".$_SESSION["A"]."<br />";
echo "BEFORE: B=".$_SESSION["B"]."<br />";
$_SESSION["A"]++;
echo "AFTER: A=".$_SESSION["A"]."<br />";
echo "AFTER: B=".$_SESSION["B"]."<br />";

echo "<br /><a href='{$_SERVER['PHP_SELF']}?destroy=1'>destroy session</a> after changing register_globals setting to see the bug in effect";
echo "<br />(and reload the page couple of times..)";

?>

When register_globals = On  -> Works.
When register_globals = Off -> Does not work.


 [2003-08-11 14:21 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 [2003-08-11 14:40 UTC] goth at php-resource dot de
@Sniper: I never thought you're dumb ... but maybe as arrogant as I am ... ;)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 14:02:18 2014 UTC