ID: 25110
Updated by: [EMAIL PROTECTED]
Reported By: carl at freeideas dot com
-Status: Open
+Status: Bogus
Bug Type: Session related
Operating System: OSX and WIN2K
PHP Version: 4.3.2
New Comment:
This can actually be called "feature" rather than bug.
If you don't like it, don't use 'register_globals = On' (it's a bad
idea anyway)
Previous Comments:
------------------------------------------------------------------------
[2003-08-16 16:25:09] carl at freeideas dot com
Description:
------------
When register_globals is on, and after a session has already been
started, $_SESSION values can be changed indirectly.
$_SESSION['userID'] = 'carl';
$userID = $_SESSION['userID'];
$userID = 'HAXOR';
# now $_SESSION['userID'] is 'HAXOR'
To me, this seems like a bad thing.
Happens under Mac OS 10.2, w/ PHP 4.3.2
Happens under Win2K w/ PHP 4.3.2
Doesn't happen under Linux w/ PHP 4.2.3
Reproduce code:
---------------
<?
# Demonstrates that $_SESSION can be changed indirectly.
# the alleged bug activates when register_globals is ON.
# set a userID in the session
session_start();
$_SESSION['userID'] = 'carl';
# copy userID into a global variable, $userID
$userID = $_SESSION['userID'];
# change only $userID
print "before: ". $_SESSION['userID'] ."<br>\n";
$userID = 'HAXOR';
print "after: ". $_SESSION['userID'] ."<br>\n";
if ( $_SESSION['userID']=='HAXOR' ) { print "bad"; }
# seems very wrong that $_SESSION['userID'] was changed
?>
Expected result:
----------------
After I run the script and reload it once, I should not see "bad"
because changing $userID should not change $_SESSION['userID'].
Actual result:
--------------
bad
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=25110&edit=1
