From: [EMAIL PROTECTED] Operating system: Linux/All? PHP version: 4.0.4pl1 PHP Bug Type: *Session related Bug description: Registered variables can be set in URL on first run One of the last comments on http://www.php.net/manual/en/ref.session.php by [EMAIL PROTECTED] is dead-on: if sessions.auto_start is 0/off, and session globals are on, a session variable can be set from the URL if it's done before the first-hit on the server. This is easier to see if you turn off cookies in your browser (otherwise you need to delete cookies after every session) Make a page like: <?php session_register("count"); $count += 10; ?><html><body> <a href="thispage.php">This page</a> Count = <?php echo $count; ?> </body> </html> Count should be 10 on first hit and +10 each time you click on the link (assuming trans-sid for that link to work right w/out cookies, but trans-sid isn't involved in this bug) to "This page": but if you fake a URL, "thispage.php?count=234" then on the first run, $count will display as 244 (since the script will add 10 to it...) This can be avoided by unsetting (or setting for that matter) the registered variable(s) before session_register() (and maybe before session_start, haven't checked), but that should NOT be necessary: PHP should unset the variable by itself on first run. -- Edit Bug report at: http://bugs.php.net/?id=9020&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
