#27471 [Opn-Fbk]: variables in a function or script alter session variables

2004-03-03 Thread derick 
 ID:   27471
 Updated by:   [EMAIL PROTECTED]
 Reported By:  wxjasp02 at smumn dot edu
-Status:   Open
+Status:   Feedback
 Bug Type: Session related
 Operating System: RedHat Linux 9.0
 PHP Version:  Irrelevant
 New Comment:

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with ?php and ends with ?,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.

Also fill in your PHP version number, which IS relevant and add a link
to your phpinfo(); output.


Previous Comments:


[2004-03-03 02:50:14] [EMAIL PROTECTED]

What is register_globals set to?



[2004-03-02 20:30:32] wxjasp02 at smumn dot edu

i altered the URL to my bug, as it was kinda hard to properly see the
script as it is, the new one is:



http://www.mytoast.net/phpbug.txt



[2004-03-02 20:23:28] wxjasp02 at smumn dot edu

Description:

Whenever i use a variable declared $group or $username in a function or
part of a script, and $_SESSION['group'] or $_SESSION['username'] are
in a valid session, the $group or $username variables ALTER the
respective $_SESSION variable by the time the script ends.



This should NEVER occur.

Reproduce code:
---
http://www.mytoast.net/phpbug.html

Expected result:

It should complete all the if () statements safely, and execute them as
if I were of the correct group type.

Actual result:
--
Basically, a $_SESSION['group'] is written to a session when a user
logs in to my site. The form above, allows administrators of my site to
alter user permissions and whatnot, but it seems if $group is a
variable in the script, (and set), the $_SESSION['group'] gets altered
to whatever that value is, and the real administrator loses all their
admin privileges until they login again.



This is extremely annoying.

I found a workaround for the time being, but i don't like making more
code than i have to...





-- 
Edit this bug report at http://bugs.php.net/?id=27471edit=1

#27471 [Opn-Fbk]: variables in a function or script alter session variables

2004-03-03 Thread derick 
 ID:   27471
 Updated by:   [EMAIL PROTECTED]
 Reported By:  wxjasp02 at smumn dot edu
-Status:   Open
+Status:   Feedback
 Bug Type: Session related
 Operating System: RedHat Linux 9.0
 PHP Version:  Irrelevant
 New Comment:

Keeping the status at feedback until then then.


Previous Comments:


[2004-03-03 13:01:14] wxjasp02 at smumn dot edu

i will post some sample code by midnight CST



[2004-03-03 12:59:04] wxjasp02 at smumn dot edu

http://www.mytoast.net/phpinfo.php



register_globals is ON.



[2004-03-03 04:44:47] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with ?php and ends with ?,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.

Also fill in your PHP version number, which IS relevant and add a link
to your phpinfo(); output.



[2004-03-03 02:50:14] [EMAIL PROTECTED]

What is register_globals set to?



[2004-03-02 20:30:32] wxjasp02 at smumn dot edu

i altered the URL to my bug, as it was kinda hard to properly see the
script as it is, the new one is:



http://www.mytoast.net/phpbug.txt



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/27471

-- 
Edit this bug report at http://bugs.php.net/?id=27471edit=1