php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32261 Session variable changes into reference
Submitted: 2005-03-10 11:58 UTC Modified: 2005-06-20 11:04 UTC
From: takayana at egate1 dot com Assigned: derick (profile)
Status: Closed Package: Session related
PHP Version: 4CVS-2005-03-23 OS: *
Private report: No CVE-ID: None
 [2005-03-10 11:58 UTC] takayana at egate1 dot com
Description:
------------
By a Session variable   Operation by PHP4.3.10 carries out different operation from a low-ranking version.


When the following 6 files are created and test_web1.php is performed, in the case of a low rank version (for example,  PHP4.3.9)
$_SESSION '[data]'   Arrangement   id value   31, 1, 2, 3, 4, and 5 ... Although set to 20, in the case of PHP4.3.10, it is.   31, 1, 2, 3, 3, and 5 ... It will be set to 20.



Reproduce code:
---------------
http://www.egate1.com/docs/.tmp/code.txt


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-23 01:29 UTC] sniper@php.net
Here's the shortest possible example script I came up with,
which does exactly same as your multiple scripts plus
shows what really happens:

<?php

class data {var $f;}
session_start();
$phase = isset($_GET['phase']) ? $_GET['phase'] : 1;

switch ($phase) {
case 1:
  $_SESSION['foo'][0] = new data;
  $_SESSION['foo'][0]->f = 1;
  $_SESSION['foo'][1] = new data;
  $_SESSION['foo'][1]->f = 2;
  header("Location: test_web.php?phase=2");
  exit(1);
  break;

case 2:
  $_SESSION['bar'] = new data;
  $_SESSION['bar']->f = 3;
  header("Location: test_web.php?phase=3");
  exit(1);
  break;

case 3:
  $_SESSION['foo'][0] = $_SESSION['bar'];  // Here be bug
  header("Location: test_web.php?phase=4");
  exit(1);
  break;

case 4:
  $_SESSION['bar'] = 'foo';
  header("Location: test_web.php?phase=5");
  exit(1);
  break;

case 5:
  echo '<pre>';
  var_dump($_SESSION);
  echo '</pre>';
  break;
}

?>

Output is this:

array(2) {
  ["foo"]=>
  array(2) {
    [0]=>
    &string(3) "foo"
    [1]=>
    object(data)(1) {
      ["f"]=>
      int(2)
    }
  }
  ["bar"]=>
  &string(3) "foo"
}

Result: ['bar'] became a reference to ['foo'][0]
(Does NOT happen when using arrays instead of object)

 [2005-03-24 07:46 UTC] sniper@php.net
Seems also to be fixed in HEAD (PHP 5.1.0-dev)

 [2005-03-24 08:08 UTC] takayana at egate1 dot com
If it can do   With PHP4.X   I would like 
you to carry out fix.
 [2005-03-24 21:49 UTC] sniper@php.net
bug #24485 seems to be same issue as this.


 [2005-03-25 02:40 UTC] takayana at egate1 dot com
In my long code   Result at the time of performing 
by PHP4.3.9   The normal value outputted 
and I thought that it was the problem of PHP4.3.10.
It seems that it is the same when the code 
of bug #24485 is seen.
Are they things even if it becomes easier 
to find a bug in PHP4.3.10?
 [2005-05-10 15:24 UTC] sniper@php.net
Assigning to Derick (another reference thing..)

 [2005-06-20 10:58 UTC] takayana at egate1 dot com
It is fixed.
Thank you.
 [2005-06-20 11:04 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 21:05:45 2022 UTC