|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22245 Unserialize Problem with References
Submitted: 2003-02-16 21:29 UTC Modified: 2003-08-11 14:40 UTC
Avg. Score:3.7 ± 1.9
Reproduced:0 of 1 (0.0%)
From: goth at php-resource dot de Assigned: sas
Status: Closed Package: Session related
PHP Version: 4.3.3RC2-dev, 5.0.0b2-dev OS: *
Private report: No CVE-ID:
 [2003-02-16 21:29 UTC] goth at php-resource dot de

I've got a Problem unserializing variables which are a reference. An to me it seems to be a bug ... !



is correctly serialized to:

I am happy ... ;)

But if I call this session again ... maybe the next page PHP seems to loose the information that B was a reference.

echo "BEFORE: A=".$_SESSION["A"]."<br />";
echo "BEFORE: B=".$_SESSION["B"]."<br />";
echo "AFTER: A=".$_SESSION["A"]."<br />";
echo "AFTER: B=".$_SESSION["B"]."<br />";

It results to:


where I thought of A and B having the same value ... for B beeing a reference to A ...

@sniper: Please don't answer ... your arrogant (and almost dumb) answers cause me one heart-attack after the other ... !!!!!!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-17 07:19 UTC] goth at php-resource dot de

probably a hint:

my php4-STABLE-200302071830 works fine ...

php430 does not ... so as php4-STABLE-200302162230
 [2003-05-20 17:38 UTC]
Not reproducible. I tried this with 4.2.3, 4.3.1 and current 4_3 CVS. The references between $_SESSION entries are never reestablished. 

Additionally, I tried a cvs checkout -r PHP_4_3_0 -D 2/7/2003 with the same negative result.

So, are you absolutely sure that you have some code where this works? Did you use register_globals = on?
 [2003-05-20 17:53 UTC] goth at php-resource dot de
Yes I am very sure that php4-STABLE-200302071830 worked properly with the stated code above ... !

Another Question ... what does R:1 mean in this serialization??

 [2003-05-26 21:55 UTC] gschine at middlebury dot edu
we have had extensive experience with this, and it 
seems that the above bug only occurs while 
register_globals is OFF. when it's on everything works 
as expected.
 [2003-07-12 23:34 UTC]
Even as you think I'm arrogant and dumb, I'm marking this as verified. (In hope you really get a heart-attack..>:)

Here's a complete test case script:



if (isset($_GET['destroy'])) {
        header("Location: {$_SERVER['PHP_SELF']}");

echo "register_globals: ", ((ini_get('register_globals')) ? 'On' : 'Off'), "<br />";

if (!isset($_SESSION["A"]) && !isset($_SESSION["B"])) {

echo "BEFORE: A=".$_SESSION["A"]."<br />";
echo "BEFORE: B=".$_SESSION["B"]."<br />";
echo "AFTER: A=".$_SESSION["A"]."<br />";
echo "AFTER: B=".$_SESSION["B"]."<br />";

echo "<br /><a href='{$_SERVER['PHP_SELF']}?destroy=1'>destroy session</a> after changing register_globals setting to see the bug in effect";
echo "<br />(and reload the page couple of times..)";


When register_globals = On  -> Works.
When register_globals = Off -> Does not work.

 [2003-08-11 14:21 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

 [2003-08-11 14:40 UTC] goth at php-resource dot de
@Sniper: I never thought you're dumb ... but maybe as arrogant as I am ... ;)
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sat Oct 10 16:01:30 2015 UTC