From: [EMAIL PROTECTED]
Operating system: Linux 2.4.x
PHP version: 4.2.3
PHP Bug Type: Session related
Bug description: $_SESSION can be broken with "global"
First, please ignore my comment on bug #17959, I have further investigated
this
issue to narrow down exactly what is causing it and have written a test
script
so that you can verify this on your end as well. This bug (should you
accept to
proclaim it a vaild bug) relates to the autoglobal $_SESSION. More
specifically, $_SESSION can be broken so that the values set in it are not
actually saved. First, lets see how it can be broken:
<?php
session_start();
echo 'Before session modifications (what got saved to disk):<br><pre>';
var_dump($_SESSION);
$_SESSION['foobar'] = 1;
global $_SESSION;
$_SESSION['foobar'] = 2;
echo '</pre>After session modifications:<br><pre>';
var_dump($_SESSION);
?>
When you run this, and then hit reload (since you must run it at least
twice to
see what actually got saved by session), the browser will output this:
Before session modifications (what got saved to disk):
array(1) {
["foobar"]=>
int(1)
}
After session modifications:
array(1) {
["foobar"]=>
int(2)
}
So, you can see that the line "global $_SESSION;" essentially breaks
session -
the "2" never gets saved to disk. If we comment out "global $_SESSION;",
it
works and the browser outputs this (after you hit reload twice):
Before session modifications:
array(1) {
["foobar"]=>
int(2)
}
After session modifications:
array(1) {
["foobar"]=>
int(2)
}
So now you are asking that is interesting, but why would you ever want to
"global" an autoglobal. Good question! There would be no purpose in
doing this
since $_SESSION is always in scope. Well, this bug presented itself to me
in
an application where there was a reference to a portion of $_SESSION.
Since
the application is over 5000 lines of code, we will view a highly
condensed
test version of this:
<?php
session_start();
echo 'Before session modifications:<br><pre>';
var_dump($_SESSION);
$_SESSION['foobar'] = 1;
$foobar = $_SESSION['foobar'];
global $foobar;
$foobar = 3;
echo '</pre>After session modifications:<br><pre>';
var_dump($_SESSION);
?>
Outputs:
Before session modifications:
array(1) {
["foobar"]=>
int(1)
}
After session modifications:
array(1) {
["foobar"]=>
&int(1)
}
And if we comment out "global $foobar;" we get:
Before session modifications:
array(1) {
["foobar"]=>
int(1)
}
After session modifications:
array(1) {
["foobar"]=>
&int(3)
}
This is the behavior we would expect with a reference given the output we
saw in
the earlier example. But why would we run "global $foobar;" if it is
already
in scope? In my application, other developers use the code for purposes
of
building other applications. Since I don't know what scope they are
including
my code in, I have to assume it is NOT in global scope and therefore run
"global" on some variables that I will need. In this sort of situation it
makes
sense to call "global" just to make sure that you have what you need.
The
problem is that if they did include it in global scope that it busts
session!!!
Anyways, I look forward to your response. I have already implemented a
workaround to this problem but think it is important that the PHP QA/BUG
teams
are aware of this issue.
Thank You for you time - everyone appreciates the work that you do for
PHP
P.S. My configure line is:
'./configure' '--enable-memory-limit' '--with-mysql=/usr/local/mysql'
'--with-zlib' '--with-apache=../apache_1.3.27'
'--enable-inline-optimization' '--with-curl=/usr/local'
'--with-mcrypt=/usr/local'
--
Edit bug report at http://bugs.php.net/?id=20728&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=20728&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=20728&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=20728&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=20728&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=20728&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=20728&r=support
Expected behavior: http://bugs.php.net/fix.php?id=20728&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=20728&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=20728&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=20728&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20728&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=20728&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=20728&r=isapi
