> On Mon, 21 May 2001, Rasmus Lerdorf wrote:
> > Looks like this code in session.c is the culprit:
> >
> > int php_get_session_var(char *name, size_t namelen, zval ***state_var PLS_DC 
> > {
> >         HashTable *ht = &EG(symbol_table);
> >
> >         if (!PG(register_globals))
> >                 ht = Z_ARRVAL_P(PS(http_session_vars));
> >
> >         return zend_hash_find(ht, name, namelen + 1, (void **)state_var);
> > }
> >
> > http_session_vars is only checked if register_globals is off.
> I am the one who put that code in, actually when $HTTP_SESSION_VARS
> support was added. I don't quite remember why it was done this way, but
> I'm all for consistency. The question is what should it do if
> register_globals is on and user doesn't set $HTTP_SESSION_VARS directly,
> but rather registers a global variable and expects it to be saved. More
> precisely, what takes precedence when register_globals is on, the global
> value or the $HTTP_SESSION_VARS value?

Yes, I figured that was the issue.  If $HTTP_SESSION_VARS is set then I
think it should take precedence.  I think the current approach where
scripts written with register_globals set to Off do not work on servers
that have register_globals On is bad.  Makes it pretty much impossible to
write portable session code.


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to