ID: 9020 Updated by: sas Reported By: [EMAIL PROTECTED] Old-Status: Open Status: Closed Bug Type: *Session related Assigned To: Comments: The negative effects of the easy accessibility of form variables is well-known; if you want to avoid them, please disable register_globals and use $HTTP_SESSION_VARS exclusively. Previous Comments: --------------------------------------------------------------------------- [2001-01-31 00:51:35] [EMAIL PROTECTED] Ref: think this is what the person was getting at in bug 8184. --------------------------------------------------------------------------- [2001-01-31 00:35:58] [EMAIL PROTECTED] One of the last comments on http://www.php.net/manual/en/ref.session.php by [EMAIL PROTECTED] is dead-on: if sessions.auto_start is 0/off, and session globals are on, a session variable can be set from the URL if it's done before the first-hit on the server. This is easier to see if you turn off cookies in your browser (otherwise you need to delete cookies after every session) Make a page like: <?php session_register("count"); $count += 10; ?><html><body> <a href="thispage.php">This page</a> Count = <?php echo $count; ?> </body> </html> Count should be 10 on first hit and +10 each time you click on the link (assuming trans-sid for that link to work right w/out cookies, but trans-sid isn't involved in this bug) to "This page": but if you fake a URL, "thispage.php?count=234" then on the first run, $count will display as 244 (since the script will add 10 to it...) This can be avoided by unsetting (or setting for that matter) the registered variable(s) before session_register() (and maybe before session_start, haven't checked), but that should NOT be necessary: PHP should unset the variable by itself on first run. --------------------------------------------------------------------------- ATTENTION! Do NOT reply to this email! To reply, use the web interface found at http://bugs.php.net/?id=9020&edit=2 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
