"register_globals off" and "session side-effect" - PHP

This is a discussion on "register_globals off" and "session side-effect" - PHP ; Kurda Yon wrote: >> .. >> if( isset($admin) ) { >> ..} >> >> .. >> >> Now: http://mysite.net/myscript.php?admin=1 >> Here we go. > > But even if the register_global is off the following can happen: > if( isset($_GET['admin']) ) ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 11 to 13 of 13

"register_globals off" and "session side-effect"

  1. Default Re: "register_globals off" and "session side-effect"

    Kurda Yon wrote:
    >> ..
    >> if( isset($admin) ) {
    >> ..}
    >>
    >> ..
    >>
    >> Now:http://mysite.net/myscript.php?admin=1
    >> Here we go.
    >
    > But even if the register_global is off the following can happen:
    > if( isset($_GET['admin']) ) {
    > ..}
    > Now:http://mysite.net/myscript.php?admin=1
    >
    > Or the ideas is that developer (programmer) will remember that $_GET
    > is something what is coming from the outside and will never relate the
    > access with the elements of $_GET?
    >

    That is true. But $_GET['admin'] is set - not $admin. And the only way
    the $_GET array gets populated is by the query string in the uri (unless
    you set it yourself - which is a bad idea).

    And you know that $_GET['admin'] is coming from the query string. With
    register_globals on, $admin could have been set by the session, a
    cookie, or get or post parameters. And you have no idea where it came from.

    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.
    jstucklex@attglobal.net
    ==================

  2. Default Re: "register_globals off" and "session side-effect"

    We had just come across this problem with a particular website we are developing and believe that we know of the main cause as we have never received this error before and try to test most limits on development.

    The Problem Code:
    Code:
    <?php
  $orderItem = $_SESSION["orderItem"];
  $orderPrice = $_SESSION["orderPrice"];
?>
    The Fixed Code:
    Code:
    <?php
  $SorderItem = $_SESSION["orderItem"];
  $SorderPrice = $_SESSION["orderPrice"];
?>
    Basiclly we have until now used the exact same name for a session variable in this way, But seems this was the cause of the error for us.

    Hope this helps a few people around?
    D&I Office Technology - Anything Is Possible

  3. Default best solution for such a prb

    basically you have a variable with the same name as your session. ex:

    $_SESSION['var1'] = null;
    $var1 = 'something';

    which will reproduce this error. you can stop PHP from trying to find existing variables and warning you about them by adding these lines to your script:

    ini_set('session.bug_compat_warn', 0);
    ini_set('session.bug_compat_42', 0);

    these values can be set in php.ini or .htaccess as well..
+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
« How to change relative urls to absolute?! | change timezones in php »