RE: [PHP] newbie needs help with session variables
- Date: Sat, 19 Apr 2008 15:28:43 -0700
- From: "Warren Vail" <warren@xxxxxxxxxxxx>
- Subject: RE: [PHP] newbie needs help with session variables
As I understand it, the "register variables" operation occurred before
execution began on your script. It involved copying data items from your
form ($_POST), from the request URL ($_GET) and from your session
($_SESSION) so that you could simply refer to them by name in your programs.
The drawback was that someone could simply modify the URL to reference one
of your pages adding a variable to the request, and overlay variables in
your session, thereby modifying the execution of your programs, and driving
a truck thru any security you may have assumed was there.
The reason you want to keep register globals off becomes more obvious, and
when you look for variables in the $_POST array or the $_GET array or the
$_SESSION array, you can be reasonably sure it is coming from where you
expected it. This still doesn't protect you from "cross-site posting", but
certainly enhances your ability to control the source of data coming into
your programs.
HTH,
Warren Vail
> -----Original Message-----
> From: Rod Clay [mailto:rclay@xxxxxxxxxxxxxxx]
> Sent: Saturday, April 19, 2008 2:20 PM
> To: php-general@xxxxxxxxxxxxx
> Subject: [PHP] newbie needs help with session variables
>
> Hi. I'm still very new to php and still trying to learn the ropes.
>
> I'm working on some code now trying to set up a session and
> use session variables in different scripts, but I'm getting
> this message:
>
> *Warning*: Unknown: Your script possibly relies on a session
> side-effect which existed until PHP 4.2.3. Please be advised
> that the session extension does not consider global variables
> as a source of data, unless register_globals is enabled. You
> can disable this functionality and this warning by setting
> session.bug_compat_42 or session.bug_compat_warn to off,
> respectively. in *Unknown* on line *0
>
> *2 questions:
>
> 1) I've turned on register_globals in all of my php.ini files
> and restarted the webserver, but I'm still getting this
> message. Can anyone help me with this?
>
> 2) I get the idea that one should NOT turn on
> register_globals, but, if I don't do this, how do I share
> session variables between scripts (and avoid this message)?
>
> Thanks for any help that anyone can provide.
>
> Rod Clay
> clay.1@xxxxxxx*
> *
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php