Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Feb 2008
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Angry The weirdest PHP problem. Try and explain this :/

    I've worked with PHP for a very long time, and yet this simple issue just shatters my world. It makes no sense to me whatsoever :/

    Code:
    <?php
    session_start();
    $_SESSION["user"] = "lalala";
    
    echo $_SESSION["user"];
    $user = 'new';
    echo "<br>".$_SESSION["user"];
    ?>
    Output:
    lalalal
    new
    I discovered this behavior of a normal variable affecting a SESSION variable of the same name as the source of a much larger problem, but simplified it down to those 5 lines.

    How the hell is $user affecting the SESSION array? It makes absolutely no sense to me :/
    Last edited by maximus06; 03-11-2009 at 05:15 PM.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,026
    Thanks
    2
    Thanked 314 Times in 306 Posts
    register_globals are on. Turn them off. They should not be on anyway because they were depreciated and turned off by default in php4.2 in the year 2002 (about 7 years ago.)

    What you are seeing is also the security hole that register_globals opened. A hacker can send your script post/get/cookie variables with the same name as your session variables and set your session variables to any value he wants.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    maximus06 (03-11-2009)

  • #3
    New to the CF scene
    Join Date
    Feb 2008
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    register_globals are on. Turn them off. They should not be on anyway because they were depreciated and turned off by default in php4.2 in the year 2002 (about 7 years ago.)

    What you are seeing is also the security hole that register_globals opened. A hacker can send your script post/get/cookie variables with the same name as your session variables and set your session variables to any value he wants.
    Thank you very much. I was using a locally installed version of PHP, and I don't know why they were on, in all my years of working with PHP they've never been on


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •