|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37087 register_globals with $_SESSION
Submitted: 2006-04-14 19:22 UTC Modified: 2006-04-14 19:36 UTC
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: stefys at gmail dot com Assigned:
Status: Wont fix Package: Variables related
PHP Version: 5.1.2 OS: Windows XP SP2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: stefys at gmail dot com
New email:
PHP Version: OS:


 [2006-04-14 19:22 UTC] stefys at gmail dot com
When register_globals is enabled, items from $_SESSION are stored into variables. However, if you unset one of those variables, and then you set it again with his own value, then you session_unset() the variable will be lost too. This is not really a bug, but maybe there is a way to check if that variable still "points" to $_SESSION.

Reproduce code:
	if (!isset($_SESSION['test']))
		$_SESSION['test'] = "value in session";
		echo "please reload!";
		echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>"; // prints $_SESSION['test'] 
		echo '$test: '.$test."<br>"; // prints $_SESSION['test']
		unset($test); //unsets $test, now $test is not a "pointer" to $_SESSION['test'] anymore
		$test = "my own value";
		echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>";
		echo '$test: '.$test."<br>"; //ok, now $test has different value than $_SESSION['test']
		session_unset(); // unsets $_SESSION['test'], but $test too, because register_globals is enabled
		echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>";
		echo '$test: '.$test."<br>";

Expected result:
It should only unset $_SESSION['test'], not $test, even if register_globals is enabled.

Actual result:
Both, $test and $_SESSION['test'] are unset. This how I think that session_unset() works:

function session_unset()
    global $_SESSION;
    foreach ($_SESSION as $item => $value)
        if (ini_get('register_globals')) unset($$value); // unsets $value, no matter if it does not "point" to $_SESSION anymore
        //as a temporary fix:
        //if (ini_get('register_globals') && $$value === $_SESSION[$item]) ... // this will still not fix everything, since value of $$value might be same as in $_SESSION, in which case it will still be unset


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-04-14 19:36 UTC]
register_globals will not exist in PHP6.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 09:01:30 2024 UTC