Is there any problem in session handling functions of php 5.1.5?

Suppose I store member id in session["id"] on login and recall this variable again and again where I need to show options or membername who is logged in.

This was working exactly fine in all earlier versions on my machine, running IIS, windows xp, and php 5.1.4, it was working perfectly.

Now what is happening on my server, where I set

AddHandler application/x-httpd-php5 .php

in my .htaccess because some classes in my code need php 5.
Following is happening.

$id=$SESSION["id"]; //outputs $id=1 which is correct
$id=$GET["somepassedvariable"]; //outputs $id=765 which is also correct

now if i again check $_SESSION["id"] this will be changed to 765 means:

$id=$_SESSION["id"]; //outputs $id=765

which is wrong as nonewhere in the code session variable is changed!

Did any one know this? Is it a bug? I am tracking this thing down from yesterday, it has taken all my night and now I finally believe that its some bug in php 5.1.5!

What you people say?

    Just a guess here but do you have register_globals turned on. The reason I ask is

    • first you assign the value of $SESSION['id'] to simple variable $id

    • then you assign the value of $_GET['id'] to the same variable $id

    • when you check $SESSION['id'] you get the last assigned value of $id

    It seems that register_globals must be turned on and I will assume that if you checked $GET['id'] that it would also show the last assigned value of $id check your register_globals setting and if it is ON then turn it off and retry your script.

      There are no changes in PHP 5.1.5 which would/should cause such problems. Have you turned on register_globals?

        agree with pcthug, I have checked the changelog, there is nothing like that!

        and yes houdini, I have contacted support to check register_globals if they are on. If after turning them off, the problem persists, I will upload some sample code for all of you to see.

        Thanx 🙂

          You can check that yourself by running phpinfo(); on your server just copy and paste the following little script to you root directory and run it and in the configuration section (the second table) you will know.

          <?php
phpinfo();
?>

          Ftp the above to your root directory with a name like info.php then go to the root of your site and just run it

            yeh they are on. Thanx a lot houdini. Now tell me as far as I remember is that we can write some line in .htaccess which will turn register_globals Off just for my site.

            Did you know that?

              Either put the following line in your htaccess file:

              php_value register_globals 0

              Or unset the injected variables within your php:

              // the following must appear at the start of your script
if (ini_get('register_globals'))
{
   foreach($_REQUEST as $key => $value)
   {
      unset($$key);
   }
}

                Just such problems is probably why those that create PHP decided with 4.2.0 to make register_globals OFF by default see the reasons for thisat this link perhaps some web hosting sites are not really concerned with security or stuff like that and many who still use old scripts that are vunerable and also unpredictable (whether they know it or not) still depend on the setting prior to PHP 4.2.0

                At least now you know the reason for it and can do something about it. I believe if I remember correctly that in PHP 6 register globals will not even be an option and the default will be OFF or possibly not changable at all so this will get people used to code that is more secure and more predictable.

                I honestly believe that more problems with old PHP code are due to register_globals being set to ON when those that are learning the language are not aware of some of the complications.

                  i have added this to .htaccess

                  AddHandler application/x-httpd-php5 .php
                  php_value register_globals 0

                  This is giving 500 Internal Server Error, then I put this:

                  AddHandler application/x-httpd-php5 .php
                  php_flag register_globals off

                  and it is also giving the same error :S

                    Either consult your host regarding the issue or add the previously posted PHP to your scripts. If you do not feel like manually adding the above PHP to your scripts, put the following in your htaccess file:

                    auto_prepend_file = "register_globals_hack.php"
include_path = ".:/replace/this/path/with/your/wwwroot/"

                    And create a file named register_globals_hack.php, fill it with the previously posted PHP and save to the include_path specified in your htaccess file.

                      In your .htaccess just add this line

                      php_flag register_globals 0

                      or you could use the ini_set() command like so:

                      ini_set("register_globals",0);

                      That will have to be with all scripts that are using the pesky settings and is a little much so the one line in your .htaccess would be a better approach.

                        First off, you might want to do a phpinfo() and check what the "Server API" is (listed towards the top of the very first table). If it says CGI binary (or something along those lines) as opposed to "Apache 2.0 Handler" (if running Apache2), you won't be able to use the .htaccess file in conjunction with the php_flag/php_value directives.

                        As such, you'll have to pursue PHP-coded methods of unsetting variables created by register_globals. If I were you, however, I would promptly change to a better/smarter webhost.

                          The really sad part is that this is supposed to be on a PHP 5+ system and since 4.2.0 register_globals has been turned off by default, it make me wonder why someone convinced this hosting site to run PHP with register_globals turned ON when that means that they had to do it on purpose!

                            Agreed. I would have switched webhosts long ago. Who knows what other shortcuts they've taken in regards to their system(s) and security.

                              hello thanx for all of your support here. I finally convinced them to turn register_globals off. Site is secured now 🙂

                                Great news I am glad you got results so quickly, I was wondering why that since PHP 4.2.0 that register_globals are OFF by DEFAULT which means that they turned them on for some strange purrpose. Had they merely installed PHP 5.1.5 and left the defaults alone you would not have had the problem.

                                I am sure you are happy!

                                  yah i m happy 🙂 thanx for your support..

                                  infact i started learning php in december 05, until then i think ver 4.2.0 was made available.. or as far as I remember some one suggested me and I set the register_globals off... after than as much as I do...they were off and I just thought that php works like this..now when they seemed to be turned on, my whole code base was compromised..as I stated the issue. Thanx God that hosting company understand me and they were put to off timely 🙂

                                    Write a Reply...