开发者

PHP Session Variable shortcuts?

开发者 https://www.devze.com 2022-12-09 17:53 出处:网络
So I\'m doing some maintenance on a PHP site that is using $_SESSION va开发者_开发知识库riables. I started seeing some very very weird behavior and after hours of debugging I just figured this out. As

So I'm doing some maintenance on a PHP site that is using $_SESSION va开发者_开发知识库riables. I started seeing some very very weird behavior and after hours of debugging I just figured this out. As an example, lets say I have a session variable setup like this:

$_SESSION['user']['id'] = 123;
$_SESSION['user']['firstname'] = 'John';
$_SESSION['user']['lastname'] = 'Doe';

At one point in a script, a call to a MySQL table is made using some Zend classes:

$sql = "SELECT whatever FROM table";
$user = $db->fetchRow($sql);

Now here is where the weirdness starts... After this database call is made, my $_SESSION['user'] array value is all of the sudden changed to be the object that is retrieved from the database call...

Basically: $_SESSION['user'] is now the same as the object that was retrieved using the fetchRow DB method that was supposed to be stored in the variable $user. I've never seen this before.

The only thing I can figure out is because the variable name $user is the same as the $_SESSION['user'] array key name, its acting as like a shortcut or something.

Is this some sort of weird PHP Session shortcuts that I've never heard of before?

On a side note, I know that accessing $_SESSION vars directly is not the best practice. I didn't build this website. My job is just to fix some stuff and add some features.

UPDATE: Sure enough, register_globals is on. Thanks for the quick help guys. No wonder I was seeing such weird behavior.


Sounds like you have register_globals set to On in PHP.ini. Turning it off should fix this.

If you don't have access to change PHP.ini an alternative solution is discussed here


Check if register globals is turned on. Accessing $_SESSION is the only way to access session data safely.

Register globals is an old feature that turned global variables into local variables. The issue with that was you could not safely know where the data was coming from. Something you expected from a session could be set with a get, post or a cookie variable. So it was very easy to bypass security.

0

精彩评论

暂无评论...
验证码 换一张
取 消