php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23354 Use of variable before registration problem
Submitted: 2003-04-25 17:22 UTC Modified: 2003-05-23 11:23 UTC
From: bill dot macallister at prideindustries dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4-STABLE-200304281330 OS: Linux 2.4.18-27.7.xsmp
Private report: No CVE-ID: None
 [2003-04-25 17:22 UTC] bill dot macallister at prideindustries dot com
This is as much a change in behavior as anything, but the
specific failure seems to indicate a deeper problem.

We have an application that uses out own session save handler
to store session data in a MySQL database.  This application
has been in use on a 4.2.1 system for months now.  When I 
upgraded our test system to 4.3.1 we started getting failures.
The exact error was a MySQL connection failure because of
bad authentication credentials.  The error report indicated
that the connection attempt was for webuser@localhost.  Our
Apache server runs as webuser so this is the default user.
The code generating this message is:

  $mysql_host = 'mysql-master';
  $mysql_user = 'phpuser';
  $mysql_pass = 'phppass';
  $mysql_db   = 'php_sessions';
  if ($cnx = mysql_connect ($mysql_host, 
                            $mysql_user, 
                            $mysql_pass)) {
    if ($db = mysql_select_db($mysql_db, $cnx)) {
      $ret = $cnx;
    }
  }

So, the error message really is bogus or PHP's heap is 
corrupt.

It turns out that I was able to make the error go away
by changing the code:

  $s_user_id = $user_data["user_id"];
  session_register("s_user_id");

to:

  session_register("s_user_id");
  $s_user_id = $user_data["user_id"];

It appears that in 4.2.1 you can use variables before you
register then and in 4.3.1 you cannot.

The 4.3.1 behavior is at least a bug in that PHP silently
accepts the invalid instruction sequence and corrupts its
environment so that completely unrelated parts of the 
script will fail.  If registration is required before use
I would really like to see session_register complain if
you try and do it wrong.

Bill

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-30 10:58 UTC] bill dot macallister at prideindustries dot com
Well, a cleaned up php.ini did not seem to change anything.  What I did was to start from php.ini-recommended and then add local changes.

Bill
 [2003-05-08 16:41 UTC] bill dot macallister at prideindustries dot com
We very carefully went through our code and made sure that we never used a variable before we registered it and the specific problem that I reported does not occur.  But we are seeing, very intermitently, similiar failures that we cannot explain.  Basically we see a session "lose" its variables.  This is happening about 10 times in 1000 accesses.  We have not been able to reproduce the problem on demand.  This is causing us too much pain at this point and we will likely fall back to 4.2.3 where we do not see the problem.

I really think that the variable register/use that I reported is exercising a more fundamental problem.  We will try removing our session handler and see if the problem persists.
 [2003-05-09 01:02 UTC] bill dot macallister at prideindustries dot com
On a development system that is exhibits this problem we tried pulling out our customer handler routines and used the vanilla session support in PHP.  The problem persists.
 [2003-05-15 13:19 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

This might be fixed now.

 [2003-05-17 17:40 UTC] bill dot macallister at prideindustries dot com
Looks like that fixed the problem.  Initial tests are good.

Thanks a lot,

Bill
 [2003-05-18 11:50 UTC] sniper@php.net
Fix will be in PHP 4.3.2.

 [2003-05-23 11:23 UTC] bill dot macallister at prideindustries dot com
While the test case that caused this failure was solved with RC4 we are stilling seeing an intermittent problem with session information disappearing.  Unfortunately we cannot reproduce the problem at will and see it once or twice is several hundred accesses to this application.  We are working on getting more details, but at this point that looks like a slow process.  I just wanted to let you know in case you notice something that might be causing this.

Thanks again for you efforts,

Bill
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Dec 09 02:05:54 2022 UTC