ID: 9020
User Update by: [EMAIL PROTECTED]
Status: Open
Bug Type: *Session related
Description: Registered variables can be set in URL on first run

Ref: think this is what the person was getting at in bug 8184.

Previous Comments:

[2001-01-31 00:35:58] [EMAIL PROTECTED]
One of the last comments on by 
[EMAIL PROTECTED] is dead-on: if sessions.auto_start is 0/off, and session globals 
are on, a session variable can be set from the URL if it's done before the first-hit 
on the server. This is easier to see if you turn off cookies in your browser 
(otherwise you need to delete cookies after every session) Make a page like:

$count += 10;
<a href="thispage.php">This page</a> Count = <?php echo $count; ?>

Count should be 10 on first hit and +10 each time you click on the link (assuming 
trans-sid for that link to work right w/out cookies, but trans-sid isn't involved in 
this bug) to "This page": but if you fake a URL, "thispage.php?count=234" then on the 
first run, $count will display as 244 (since the script will add 10 to it...)
This can be avoided by unsetting (or setting for that matter) the registered 
variable(s) before session_register() (and maybe before session_start, haven't 
checked), but that should NOT be necessary: PHP should unset the variable by itself on 
first run.


Full Bug description available at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to