ID: 42774 User updated by: johns582 at mail dot msu dot edu Reported By: johns582 at mail dot msu dot edu -Status: Feedback +Status: Open Bug Type: Session related Operating System: Debian 4.1.1; FreeBSD 4.8 PHP Version: 5.2.4 New Comment:
No, register globals is off. Added note: this code worked in versions of PHP <= 5.0.5 Previous Comments: ------------------------------------------------------------------------ [2007-09-27 09:46:05] [EMAIL PROTECTED] Is register_globals=On ? ------------------------------------------------------------------------ [2007-09-27 04:10:26] johns582 at mail dot msu dot edu Description: ------------ We use a function (see below) to populate variables based on whether there is a key present in the $_GET, $_POST, or $_SESSION arrays. After this function is called and the result assigned to a variable, we save the variable in a session with: $_SESSION['var'] = $var; The result of this statement is that the variable $var is successful stored in $_SESSION but is not saved to the session file, which is what we expect. We can correct the problem by taking the logic in the function below out of the function and placing it into the body of the main script. We've also noticed that even when the function is called by the main script, but not used to assign a value to a variable we intend to store in a session, this is enough to "break" the session in the manner described above (e.g., //DOESN'T WORK TO MAKE $f_name and $l_name appear in the session file //even though we aren't actually storing the value of $f_name_p or //$l_name_p in the session. But works if lines 3 and 4 are removed. $f_name = $_POST['f_name']; $l_name = $_POST['l_name']; $f_name_p = populate_rev ("f_name", $_GET, $_POST, $_SESSION); $l_name_p = populate_rev ("l_name", $_GET, $_POST, $_SESSION); $_SESSION['f_name'] = $f_name; $_SESSION['l_name'] = $l_name; One last point: This problem occurs with both the default "files" session handler and a custom db-backed handler. Using the db-backed handler, we can confirm that the overloaded "write" function received a session key, but no data. Reproduce code: --------------- function populate_rev ($array_index, $_GET, $_POST, $_SESSION) { if (isset($_GET["$array_index"])) { $var = $_GET["$array_index"]; } elseif (isset($_POST["$array_index"])) { $var = $_POST["$array_index"]; } elseif (isset($_SESSION["$array_index"])) { $var = $_SESSION["$array_index"]; } else { $var = ''; } return $var; } Expected result: ---------------- Expected to see the string f_name|s:7:"Heather";l_name|s:7:"Johnson"; present in the session file or in the database (depending on which handler was currently being used), for example, following assignment of $f_name and $l_name to the corresponding key in $_SESSION and termination of the script. Actual result: -------------- Even though the $_SESSION array contains the expected key/value pairs, the session file or database row (in the case of our custom handler) doesn't contain them. No data is passed to the session write function in the case of the custom handler. Moving the function's logic into the main body of the script, or abandoning the function in favor of straight assignment from the $_POST vars array is the only way to produce the expected result. (e.g., $f_name = $_POST['f_name']; $l_name = $_POST['l_name']; ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42774&edit=1