ID: 22979
Updated by: [EMAIL PROTECTED]
Reported By: mailinglist dot phpnet at hydras-world dot com
-Status: Open
+Status: Bogus
Bug Type: Variables related
Operating System: *nix
PHP Version: 4.3.1
New Comment:
as you can see register globals is on in your php.ini
as its not a bug in php its self marking as bogus
Previous Comments:
------------------------------------------------------------------------
[2003-03-31 07:22:37] mailinglist dot phpnet at hydras-world dot com
I wasn't using session_register to register global variables in my code
and all session access was through $_SESSION[] so the "register_globals
= off" setting shouldn't affect my code, but it did!
I wrote all my code with the knowledge that register_globals defaults
to OFF on most web-servers and that having the setting off is also more
secure.
The problem comes about when having variable names the same as index
names in the $_SESSION array and when they're not supposed to be set to
the same thing.
e.g.
$ordernumber = $_SESSION['ordernumber'];
$ordernumber++;
This would have the effect of doing this too:
$_SESSION['ordernumber']++;
Not good!
The solution however was quite simple, and I just used upper case names
as my $_SESSION index names.
so $_SESSION['ordernumber'] now becomes $_SESSION['ORDERNUMBER'].
I've confirmed this to be a bug on the *nix webserver that my ISP uses,
but can't reproduce it with a default install in php 4.2.3 and 4.3.1 on
my WinXP IIS5.1 setup.
To help you out, I added a php script to a test site that shows the
problem, along with the output of a phpinfo() call.
Here's the script:
==== SCRIPT START ====
<?php
ob_start();
session_start();
?>
<html>
<body>
<?php
echo "Session Now: "; var_dump($_SESSION); echo "<br>";
$_SESSION['ordernumber'] = 5;
$ordernumber = $_SESSION['ordernumber'];
echo "ordernumber = $ordernumber<br>";
echo "Session Before: "; var_dump($_SESSION); echo "<br>";
$ordernumber++;
echo "ordernumber = $ordernumber<br>";
echo "Session After: "; var_dump($_SESSION); echo "<br>";
?>
<p>PhpInfo: <? phpinfo(); ?></p>
</body>
</html>
==== SCRIPT END ====
When the script is run on the ISP's web server this is the output:
Session Now: array(1) { ["ordernumber"]=> &int(6) }
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> &int(5) }
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> &int(6) }
Notice the int(6) on the line above - BAD!
When the script is run on my system this is the output:
Session Now: array(1) { ["ordernumber"]=> int(5) }
ordernumber = 5
Session Before: array(1) { ["ordernumber"]=> int(5) }
ordernumber = 6
Session After: array(1) { ["ordernumber"]=> int(5) }
Notice the int(5) on the line above! - CORRECT!
here's a link to the script, so you can test it for yourselves:
http://www.loudretail.com/sessionproblem.php
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=22979&edit=1
