Edit report at https://bugs.php.net/bug.php?id=65359&edit=1
ID: 65359
Updated by: yohg...@php.net
Reported by: spam2 at rhsoft dot net
Summary: Unknown: Skipping numeric key 1 in Unknown on line 0
Status: Assigned
Type: Bug
Package: Session related
PHP Version: 5.4.17
Assigned To: yohgaki
Block user comment: N
Private report: N
New Comment:
> so again: we do not need a *incompatible* new session handler, we need proper
error-reporting and "in unknown" is always a *major bug* and design flaw
This is not feasible option. If PHP should detect invalid session data
assignment, PHP should monitor every writes to variable, not only $_SESSION
array, during execution only for "register_globals" limited serialize handler.
There is no such API in PHP. If we made it, it slows down PHP and nobody is
willing to do. (Technically, Zend engine provides handler for assignment. By
using the API, anyone can make a module that detects invalid writes to
$_SESSION)
It seems current documentation does not state that users are not able to save
numeric index session vars (and other special chars). However, older documents
explicitly states numeric session vars are prohibited/unsupported. It's our
document bug, but this is the way it supposed to work.
Therefore, correct way of fixing this "*major bug* and design flaw" is
introducing new serialize handler that is *not* bonded to register_globals.
Anyway, I may be able to add REQUEST_URI to the error. Do you want it? It can
be
retrieved via custom error handler, though.
Another feasible option for you is that define user error handler that ignores
this error. Since we are not going to add new serialize handler to released
branch, it would be most feasible option for you. Or write your own module that
monitor assignments and raise error for invalid.
Previous Comments:
------------------------------------------------------------------------
[2013-08-10 10:53:36] spam2 at rhsoft dot net
yes it is *saved* after script execution
but that is no excuse not store the script path and throw it out in the error
message so someone knows which of the some hundret thousands scripts on the
server is triggering the error to debug whatever application
so again: we do not need a *incompatible* new session handler, we need proper
error-reporting and "in unknown" is always a *major bug* and design flaw
------------------------------------------------------------------------
[2013-08-10 10:45:47] yohg...@php.net
Assigning numeric array index valid operation while it was not valid to have
numeric variable names. That's the reason why old serializer do not allow to
save
such data. Session data is usually saved *after* scripts execution.
My patch should be able to applied to PHP 5.4 cleanly. If you want it to be
fixed
seriously, apply my patch and use php_serialize. Beware that it won't work if
you
mix serializers on shared session data.
------------------------------------------------------------------------
[2013-08-10 10:34:43] spam2 at rhsoft dot net
yeah, introduce new things and let the broken untouched broken is the way of
PHP which leaded to all the troubles over the last 10 years - hence the real
bug is that the info wich script was called is thrown away before the
error_handler is raised and burry this problem with a new session_handler does
not solve it
*there must not* be any place inside PHP where the error-handler says "in
unknown" - it doe snot matter if the script has finished by raise the error,
the fact is that the REQUEST has a URL and the error handler comes after the
script was executed - so PHP has to store whereever the script path or fix the
error_handler that it shut's up if it has nothing helpful to say
------------------------------------------------------------------------
[2013-08-10 10:30:40] yohg...@php.net
> it is not possible to have request-uri
This one is workable option.
------------------------------------------------------------------------
[2013-08-10 10:25:48] yohg...@php.net
> what we need is *NOT* a new session handler beause numeric indexes are
braindead and so what we need is a clean error message
If I fixed the issue in current serialize handler, it will break apps.
Therefore, new one is needed.
The reason you didn't get the error message is it was slightly failed.
I cannot do anything but introduce new serialize handler.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=65359
--
Edit this bug report at https://bugs.php.net/bug.php?id=65359&edit=1
