Edit report at https://bugs.php.net/bug.php?id=65359&edit=1
ID: 65359
Updated by: johan...@php.net
Reported by: spam2 at rhsoft dot net
Summary: Unknown: Skipping numeric key 1 in Unknown on line 0
Status: Assigned
Type: Bug
Package: Session related
PHP Version: 5.4.17
Assigned To: yohgaki
Block user comment: N
Private report: N
New Comment:
We don't have a reliable REQUEST_URI or such available. We only have the
version in $_SERVER which might be changed by the user.
In shutdown we also have no idea of what might have been the "main" script - a
SAPI can execute multiple files in a row (as auto_[ap|pre]pend_file do),
apache_filter is an example.
A way to improve the error might be saving the place where a session is
started, while that costs a tiny bit of memory and CPU.
Previous Comments:
------------------------------------------------------------------------
[2013-08-10 21:02:33] spam2 at rhsoft dot net
> This is not feasible option. If PHP should detect invalid
> session data assignment, PHP should monitor every writes to
> variable
WTF - nobody needs to monitor anything to know the script
which is called - the design flaw is that this information
well known as long the script is running is *thrown away*
before the last possible event triggering an error and over
years nobody spent a second to fix this
> Anyway, I may be able to add REQUEST_URI to the error.
> Do you want it?
that is what i request all the time
> It can be retrieved via custom error handler, though.
not a option in case of *600* vhosts
> Another feasible option for you is that define user
> error handler that ignores this error
another option would be fix PHP's internal error handler
that it shuts up in case it has nothing useful to say
------------------------------------------------------------------------
[2013-08-10 20:50:36] yohg...@php.net
> so again: we do not need a *incompatible* new session handler, we need proper
error-reporting and "in unknown" is always a *major bug* and design flaw
This is not feasible option. If PHP should detect invalid session data
assignment, PHP should monitor every writes to variable, not only $_SESSION
array, during execution only for "register_globals" limited serialize handler.
There is no such API in PHP. If we made it, it slows down PHP and nobody is
willing to do. (Technically, Zend engine provides handler for assignment. By
using the API, anyone can make a module that detects invalid writes to
$_SESSION)
It seems current documentation does not state that users are not able to save
numeric index session vars (and other special chars). However, older documents
explicitly states numeric session vars are prohibited/unsupported. It's our
document bug, but this is the way it supposed to work.
Therefore, correct way of fixing this "*major bug* and design flaw" is
introducing new serialize handler that is *not* bonded to register_globals.
Anyway, I may be able to add REQUEST_URI to the error. Do you want it? It can
be
retrieved via custom error handler, though.
Another feasible option for you is that define user error handler that ignores
this error. Since we are not going to add new serialize handler to released
branch, it would be most feasible option for you. Or write your own module that
monitor assignments and raise error for invalid.
------------------------------------------------------------------------
[2013-08-10 10:53:36] spam2 at rhsoft dot net
yes it is *saved* after script execution
but that is no excuse not store the script path and throw it out in the error
message so someone knows which of the some hundret thousands scripts on the
server is triggering the error to debug whatever application
so again: we do not need a *incompatible* new session handler, we need proper
error-reporting and "in unknown" is always a *major bug* and design flaw
------------------------------------------------------------------------
[2013-08-10 10:45:47] yohg...@php.net
Assigning numeric array index valid operation while it was not valid to have
numeric variable names. That's the reason why old serializer do not allow to
save
such data. Session data is usually saved *after* scripts execution.
My patch should be able to applied to PHP 5.4 cleanly. If you want it to be
fixed
seriously, apply my patch and use php_serialize. Beware that it won't work if
you
mix serializers on shared session data.
------------------------------------------------------------------------
[2013-08-10 10:34:43] spam2 at rhsoft dot net
yeah, introduce new things and let the broken untouched broken is the way of
PHP which leaded to all the troubles over the last 10 years - hence the real
bug is that the info wich script was called is thrown away before the
error_handler is raised and burry this problem with a new session_handler does
not solve it
*there must not* be any place inside PHP where the error-handler says "in
unknown" - it doe snot matter if the script has finished by raise the error,
the fact is that the REQUEST has a URL and the error handler comes after the
script was executed - so PHP has to store whereever the script path or fix the
error_handler that it shut's up if it has nothing helpful to say
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=65359
--
Edit this bug report at https://bugs.php.net/bug.php?id=65359&edit=1
