From: mailinglist dot phpnet at hydras-world dot com
Operating system: *nix
PHP version: 4.3.1
PHP Bug Type: Variables related
Bug description: session index names and same name variables prob even with
register_globals off
I wasn't using session_register to register global variables in my code and
all session access was through $_SESSION[] so the "register_globals = off"
setting shouldn't affect my code, but it did!
I wrote all my code with the knowledge that register_globals defaults to
OFF on most web-servers and that having the setting off is also more
secure.
The problem comes about when having variable names the same as index names
in the $_SESSION array and when they're not supposed to be set to the same
thing.
e.g.
$ordernumber = $_SESSION['ordernumber'];
$ordernumber++;
This would have the effect of doing this too:
$_SESSION['ordernumber']++;
Not good!
The solution however was quite simple, and I just used upper case names as
my $_SESSION index names.
so $_SESSION['ordernumber'] now becomes $_SESSION['ORDERNUMBER'].
I've confirmed this to be a bug on the *nix webserver that my ISP uses,
but can't reproduce it with a default install in php 4.2.3 and 4.3.1 on my
WinXP IIS5.1 setup.
To help you out, I added a php script to a test site that shows the
problem, along with the output of a phpinfo() call.
Here's the script:
==== SCRIPT START ====
<?php
ob_start();
session_start();
?>
<html>
<body>
<?php
echo "Session Now: "; var_dump($_SESSION); echo "<br>";
$_SESSION['ordernumber'] = 5;
$ordernumber = $_SESSION['ordernumber'];
echo "ordernumber = $ordernumber<br>";
echo "Session Before: "; var_dump($_SESSION); echo "<br>";
$ordernumber++;
echo "ordernumber = $ordernumber<br>";
echo "Session After: "; var_dump($_SESSION); echo "<br>";
?>
<p>PhpInfo: <? phpinfo(); ?></p>
</body>
</html>
==== SCRIPT END ====
When the script is run on the ISP's web server this is the output:
Session Now: array(1) { ["ordernumber"]=> &int(6) }
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> &int(5) }
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> &int(6) }
Notice the int(6) on the line above - BAD!
When the script is run on my system this is the output:
Session Now: array(1) { ["ordernumber"]=> int(5) }
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> int(5) }
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> int(5) }
Notice the int(5) on the line above! - CORRECT!
here's a link to the script, so you can test it for yourselves:
http://www.loudretail.com/sessionproblem.php
--
Edit bug report at http://bugs.php.net/?id=22979&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=22979&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=22979&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=22979&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=22979&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=22979&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=22979&r=support
Expected behavior: http://bugs.php.net/fix.php?id=22979&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=22979&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=22979&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=22979&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=22979&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=22979&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=22979&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=22979&r=gnused
