Re: [PHP] PHP 5 Strings are References?!
On Wed, March 30, 2005 6:48 am, Jochem Maas said: I don't really think that's relevant, however, as PHP is storing $name back *IN* to my $_SESSION data, just because I did: $name = $_SESSION['name']; $name = Fooey; $name is a STRING. It's not an object. It should *NOT* be a Reference! But it is a Reference, so changing $name alters $_SESSION['name'] Perhaps I'm being overly paranoid... Consider the following, however. Fact: One should not trust $_GET data, and should scrub it. Fact: I'm on a shared server. Fact: By definition, if *my* PHP script can read my session data, so can *another* user's script on that server. Thus, I had intended to 'scrub' session data with things like: ?php session_start(); $name = $_SESSION['name']; $name = preg_replace('/[^A-Za-z \',\\.-]/', $name); if ($name != $_SESSION['name']){ // assume they are Bad People. } ? Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3 making strings into references. For the short term, I'm trusting session data (but not GET/POST, duh). I suspect I could do: $name = '' . $_SESSION['name']; or somesuch to force the string to not be a reference. But PHP doesn't *HAVE* strings as references. I filed a bug report, but sniper's response was pretty much the same auto-response register_globals OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3??? Am I over-reacting? I don't think so. It's a nasty little bug that will completely bypass security measures to scrub SESSION data, as described above. I haven't really probed into this, to see how far / long the reference nature of the string extends. Perhaps the preg_replace would create a copy of the string... Or not. Or maybe it would depend on if anything got replaced or not. Or... Sorry to reply so late, but I've been a tad busy lately, and just caught up on PHP-General tonight. [looks at watch] Errr, make that this morning, I guess. :-v -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP 5 Strings are References?!
Chris wrote: Richard Lynch wrote: On Tue, March 29, 2005 7:58 pm, Chris said: Richard Lynch wrote: ... Are you sure you don't have register_globals enabled? I tested Richards reproduce script on php 5.0.3 on a Debian machine with the following ini settings: register_globals = Off register_long_arrays = Off register_argc_argv = Off magic_quotes_gpc = Off magic_quotes_runtime = Off (i.e. all relevant ini settings are php5 defaults) and I get the same freakin' references from/in the SESSION array. Actually, they *ARE* enabled by my webhost. I don't really think that's relevant, however, as PHP is storing $name back *IN* to my $_SESSION data, just because I did: $name = $_SESSION['name']; $name = Fooey; $name is a STRING. It's not an object. It should *NOT* be a Reference! But it is a Reference, so changing $name alters $_SESSION['name'] Sorry, meant to reply to list, not just you. All I'm saying is that Sessions act extremely oddly with register_globals enabled. With register_globals on I believe the global variable, acts as a reference. It's not because it's a string, it's because it's a session variable, and it needs to keep track of changes to the variable. I agree with Chris that register_globals can only cause more pain and misery :-/ but in this case the problem exists regardless of register_globals setting. here is a func I sometimes use when going to war with a register_globals=On server :-) nothing special and I blagged the idea from somewhere/someone (probably in the user comments somewhere in the php manual :-/) function unRegisterGlobals() { if (ini_get('register_globals')) { $SGs = array($_SERVER, $_ENV, $_FILES, $_COOKIE, $_POST, $_GET); if (isset($_SESSION)) { array_unshift($SGs, $_SESSION); } // SG == super global foreach ($SGs as $sg) { foreach ($sg as $k = $v) { unset($GLOBALS[ $k ]); } } ini_set('register_globals', false); } } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP 5 Strings are References?!
Aha! Okay, here's the previous session question boiled down to its simplest: ?php session_start(); if (!isset($_SESSION['name'])){ $_SESSION['name'] = 'Richard Lynch'; } else{ $name = $_SESSION['name']; } /* Assume a ton of code goes here */ $name = 'Fooey'; echo Session name is: , $_SESSION['name'], br /\n; ? Now, hit this page, re-load it, and what do *YOU* expect $_SESSION['name'] to output? A) 'Richard Lynch', because you never re-assigned $_SESSION['name'] B) 'Fooey' because $name is a reference, and you changed it, so that changed your session data. *I* expected A) Alas, the reality is B) G. I do *NOT* want all my strings to suddenly turn into pointers. If I wanted that kind of headache, I'd be coding in C! :-) I should have known this from the get-go, when I saw in my session data with var_dump($_SESSION); *WHY* are strings suddenly turning into references? They're *NOT* objects! I'm about to go re-read the PHP 5 sections of the manual with a fine-tooth comb to see if I just missed this as an upgrade issue. It's pretty much going to break a hell of a lot of scripts, that's for sure. Somebody please tell me this is a Bug, not a Feature PHP 5.0.3 FreeBSD 5.3-RELEASE -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP 5 Strings are References?!
Richard Lynch wrote: On Tue, March 29, 2005 7:58 pm, Chris said: Richard Lynch wrote: Aha! Okay, here's the previous session question boiled down to its simplest: ?php session_start(); if (!isset($_SESSION['name'])){ $_SESSION['name'] = 'Richard Lynch'; } else{ $name = $_SESSION['name']; } /* Assume a ton of code goes here */ $name = 'Fooey'; echo Session name is: , $_SESSION['name'], br /\n; ? Now, hit this page, re-load it, and what do *YOU* expect $_SESSION['name'] to output? A) 'Richard Lynch', because you never re-assigned $_SESSION['name'] B) 'Fooey' because $name is a reference, and you changed it, so that changed your session data. *I* expected A) Alas, the reality is B) G. I do *NOT* want all my strings to suddenly turn into pointers. If I wanted that kind of headache, I'd be coding in C! :-) I should have known this from the get-go, when I saw in my session data with var_dump($_SESSION); *WHY* are strings suddenly turning into references? They're *NOT* objects! I'm about to go re-read the PHP 5 sections of the manual with a fine-tooth comb to see if I just missed this as an upgrade issue. It's pretty much going to break a hell of a lot of scripts, that's for sure. Somebody please tell me this is a Bug, not a Feature PHP 5.0.3 FreeBSD 5.3-RELEASE Are you sure you don't have register_globals enabled? Actually, they *ARE* enabled by my webhost. I don't really think that's relevant, however, as PHP is storing $name back *IN* to my $_SESSION data, just because I did: $name = $_SESSION['name']; $name = Fooey; $name is a STRING. It's not an object. It should *NOT* be a Reference! But it is a Reference, so changing $name alters $_SESSION['name'] Sorry, meant to reply to list, not just you. All I'm saying is that Sessions act extremely oddly with register_globals enabled. With register_globals on I believe the global variable, acts as a reference. It's not because it's a string, it's because it's a session variable, and it needs to keep track of changes to the variable. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php