Reply to Re: Problem with session variables?

Your name:

Reply:


Posted by Hilarion on 10/25/05 15:51

> * register_globals = On is dangerous because it can mask or be masked
> by other variable

I'm not sure if I understand you. If you are about variables scope,
then it has not much to do with register_globals. Regardless of it
being on or off all variables have same scope. register_globals only
makes some variables automatically set to values from environment
($_ENV, $_SERVER) and from request ($_REQUEST or rather directly
$_GET, $_POST and $_COOKIE).


> * register_globals = On is dangerous because users can add variables
> to the query string and override stuff you thought was safe

Yes. Having that in mind it's also possible to write scripts that are
safe even when register_globals is on, but if it's off then still
writing unsecure scripts is possible (for example register_globals
does not affect most SQL injection attacks).


> With register_globals = On, PHP creates an $var for every
> $_SESSION['var'].

As far as I know it does not. It does it (by reference) when calling
session_register.


> These are not available within function unless you
> use "global $var", so "$var m= 27;" within a function will create a
> local $var which will mask your session $var

Yes, because it's a global variable and all scope rules apply.


> Setting $HTTP_SESSION_VARS ["country"] = $country; means that anything
> you do to $country will be done to $HTTP_SESSION_VARS ["country"] since
> they are now one and the same (I think)

Nope. This only assigns value of $country variable to the session
values array. It does not bind the variable as a session variable.
session_register does the bind. Additionaly $HTTP_SESSION_VARS is
only a global variable (scope rules apply), not a superglobal
as $_SESSION (available in all scopes).


> BUT...$country still has the same scope that any other $var has, so if
> you do $HTTP_SESSION_VARS ["country"] = $country; within a function,
> $country disappears when the function ends ($HTTP_SESSION_VARS
> ["country"] remains, though)

As above. This assignment does nothing to global variables including
session values because $HTTP_SESSION_VARS and $country variables
are local to the function.


> Simple answer: Stick with $_SESSION['country'] - it's simpler, obvious,
> and a lot safer

I agree.


Hilarion

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация