Posted by Baeribeeri on 04/13/07 09:46

On 11 Apr., 14:49, Jerry Stuckle <jstuck...@attglobal.net> wrote:

> First of all, don't use session_register(). It's not needed. Just use
> the $_SESSION array.
>
> Then ensure you aren't accidentally changing $_SESSION['bilder'] or
> $bilder. It's easy to do with $register_globals on. IOW, is the code
> you showed all the code, or just an excerpt.
>
> And if this is a shared host, I would change hosting companies. The
> security warnings have been out there for years - and I wouldn't trust
> anyone who hasn't learned by now the potential problems it causes.

Yes, it is an excerpt. The complete code of the php file is more than
500 lines long. And, yes, I changed some values of the array bilder[].
I have to do this, because in the first step, the customer uploads the
photos and in the second step the customer chooses the format and the
number of copies, the material and so on.

But I found a workaround, that looks much better for me. I only use
the session to transport a session id. All contents of the variables
are stored in a MySQL database table, which will be deleted after the
complete order. Stuck orders will be deleted automaticly after two
days with a cron job script.

BTW, my webhoster is the number two in size in Germany.

But thanks for your help. Enjoy the spring weather (in Germany it is
really wonderful in the moment.)

Hartmut Jäger (www.jaeger-edv-service.de)

[Back to original message]