How to call the session variable?

**Jerry Stuckle** · Jan 14 '08, 12:25 PM

Re: How to call the session variable?

Luuk wrote:

"Peter Pei" <yantao@telus.c omschreef in bericht
news:BRBij.4301 $vp3.3234@edtnp s90...
.....
. Learn before start teaching.
>
Please Peter, read this http://www.cs.tut.fi/~jkorpela/usenet/dont.html
especially number 3
>
....... You should include some indication of what you are responding to;
either quote a key sentence....... ....
>
>
greetings,
>
>
>

Don't worry. He doesn't believe in following netiquette. I've already
plonked him - as have a lot of people. I don't even see his messages
any more.

Much nicer.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Jan 14 '08, 12:25 PM

Re: How to call the session variable?

Rik Wasmus wrote:

On Mon, 14 Jan 2008 12:51:23 +0100, Captain Paralytic
<paul_lautman@y ahoo.comwrote:
>

>On 14 Jan, 10:13, Erwin Moller
><Since_humans_ read_this_I_am_ spammed_too_m.. .@spamyourself. comwrote:

>>Peter Pei wrote:
>Trust yr own testing and judgement first, and be very careful what you
>hear in this forum.
>>>
>>Peter,
>>>
>>You talk/write too much.

>>
>And quote too little.
>>
>Hopefully he will go away soon.

>
Amazingly, he managed to get into the filter in 2 days. Now if everyone
kindly stops responding to him I'm a happy bunny :)

You, too, Rik? It's almost a record here.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Michael Fesser** · Jan 14 '08, 01:35 PM

Re: How to call the session variable?

..oO(Peter Pei)

>What an idiot! He tested and they are related - that's a fact. How many
>times I told you in other threads the same thing?

How many times you were told that you're wrong? $_SESSION['foo'] and
$foo are only related if register_global s is turned on. A simple test:

<?php
session_start() ;

if (isset($_GET['show'])) {
print '<pre>';
print_r($_SESSI ON);
var_dump($foo);
var_dump($bar);
print '</pre>';
} else {
$_SESSION['foo'] = 23;
$_SESSION['bar'] = 42;
}
print "<a href='{$_SERVER['PHP_SELF']}?show'>next</a>";
?>

After calling the script and clicking the link, the result with
register_global s = ON will be:

Array
(
[foo] =23
[bar] =42
)
int(23)
int(42)

This is what the OP got. Now the same thing with register_global s = OFF:

Array
(
[foo] =23
[bar] =42
)

Notice: Undefined variable: foo in ...
NULL

Notice: Undefined variable: bar in ...
NULL

This is how it should be on a properly configured system.

Micha

**Peter Pei** · Jan 14 '08, 04:15 PM

Re: How to call the session variable?

You are obviously right, and that's exactly what I have said all the time in
every threads I partricipated. Did you get yourself familiar with the
context before you jump in?

If you did, you could have saved yourself some precious time instead of
coming up with sample code that we all know. Jerry's problem is that he
insisted that $_SESSION['a'] and $a are unrelated regardless whether
register_global is on.

**Peter Pei** · Jan 14 '08, 04:15 PM

Re: How to call the session variable?

That's your lost not mine

**Peter Pei** · Jan 14 '08, 04:15 PM

Re: How to call the session variable?

Aman!

**Captain Paralytic** · Jan 14 '08, 04:15 PM

Re: How to call the session variable?

On 14 Jan, 09:59, Jonas Werres <jo...@example. orgwrote:

Kurda Yon wrote:

Hi,

>

As you have recommended I did not use the session_registe r(). In one
file I have executed such line:
$_session['ex'] = 2.0;

>

Then, in another file, I have executed the following line:
$ex = 3.0.

>

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session['ex'] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session['ex'] variables are the same variable! In other words, I
have to call $_session['ex'] just the first time. After I did it once
I can use just $ex (instead of $_session['ex']). Is that true?

What the hell is going on here!?!
>
Anyway... This happens, when register_global s
(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.
At least, you should manually turn it of either using .htaccess or ini_set()
(latter one might not work, because GPC variables are registered before
ini_set() is executed. I'm too lazy to consult the manual, do it yourself)
>
Note, that this will force you to use the $_POST/$_GET/$_REQUEST arrays,
although you should REALLY do that any.
>

Please do not top post.

**Michael Fesser** · Jan 14 '08, 04:35 PM

Re: How to call the session variable?

..oO(Peter Pei)

>You are obviously right, and that's exactly what I have said all the time in
>every threads I partricipated. Did you get yourself familiar with the
>context before you jump in?

Sure I do, even if all your postings are without any context. You also
claimed that register_global s is broken in PHP 5.2.5, which in fact it
isn't.

>If you did, you could have saved yourself some precious time instead of
>coming up with sample code that we all know. Jerry's problem is that he
>insisted that $_SESSION['a'] and $a are unrelated regardless whether
>register_globa l is on.

Wrong again. Do _you_ read what you're replying to? He said:

| It used to - there is a parm in the php.ini file called
| register_global s.
|
| In earlier versions, this was enabled and would do what you want.
| However, this is a huge security risk and has been disabled by default
| in recent versions.

The rest of the sub thread was based on that, no need to repeat it over
and over again. Additionally register_global s are dead, so it makes
perfect sense to say that $_SESSION['foo'] and $foo are not related in
any kind, because that's how it is by default (since years!) and on
every properly configured system.

Micha

**Jonas Werres** · Jan 14 '08, 05:35 PM

Re: How to call the session variable?

I wouldn't bother Michael, the guy is a dick-head. He posts completly

out of context and never talks sense. He has a way over inflated sense
of his own worth and usefulness.

I have to admit, if his posts have content worth reading (and unfortunately
he posts many which have not), he is right. Which is something postings in
this group often lack.
He might be quite annoying, but those postings are easy to skip. The other
ones are sometimes the only correct responses to a question.

**Captain Paralytic** · Jan 14 '08, 05:45 PM

Re: How to call the session variable?

On 14 Jan, 17:31, Jonas Werres <jo...@example. orgwrote:

I wouldn't bother Michael, the guy is a dick-head. He posts completly
out of context and never talks sense. He has a way over inflated sense
of his own worth and usefulness.

>
I have to admit, if his posts have content worth reading (and unfortunately
he posts many which have not), he is right. Which is something postings in
this group often lack.
He might be quite annoying, but those postings are easy to skip. The other
ones are sometimes the only correct responses to a question.

But how do you tell. There is never any context to the post as he
never quotes anything and if his good posts to his bad ones are in a
ratio of 1 to 99, the chances are better that you have a crap post
than a good one.

**Kurda Yon** · Jan 14 '08, 07:15 PM

Re: How to call the session variable?

Anyway... This happens, when register_global s

(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.

Will I be able to use global variables after I turn off the
register_global s? In my code I use the global variables extensively,
and I would not like to rewrite everything. By the way, way it is so
bad if the register_global is turned on? I do not see any problems in
the effect that I have described in my first post.

**Jerry Stuckle** · Jan 14 '08, 07:25 PM

Re: How to call the session variable?

Kurda Yon wrote:

>Anyway... This happens, when register_global s
>(http://de.php.net/register_globals) is active (see first comment), which
>is also a sure sign, that you should really change your hoster because of
>incompetence .

Will I be able to use global variables after I turn off the
register_global s? In my code I use the global variables extensively,
and I would not like to rewrite everything. By the way, way it is so
bad if the register_global is turned on? I do not see any problems in
the effect that I have described in my first post.
>

Global variables (which you shouldn't use) will still work.
register_global s just affects $_SESSION, $_COOKIE, $_GET and $_POST.

And yes, you should think about rewriting your code to get rid of global
variables. They make troubleshooting your code and changes much harder.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Kurda Yon** · Jan 14 '08, 07:35 PM

Re: How to call the session variable?

OK. But, what is the problem with the "turned on register_global s"? I
read about the problem here:

Page not found – shsc.info

http://shsc.info/ShittyPHPFeatures

And they explain the problem by the following example:
if ($_COOKIE['adminpassword'] == 'secret')
$admin = TRUE;
....
if ($admin) destroy_website ();

If somebody load the website like that:
website.php?adm in=1
the website will be destroyed.

But I do not understand how the given example is related with the
global variables? The described example will be a problem even if the
$admin is NOT a global variable. Isn't?

**Michael Fesser** · Jan 14 '08, 07:45 PM

Re: How to call the session variable?

..oO(Kurda Yon)

>Anyway... This happens, when register_global s
>(http://de.php.net/register_globals) is active (see first comment), which
>is also a sure sign, that you should really change your hoster because of
>incompetence .

>
>Will I be able to use global variables after I turn off the
>register_globa ls?

Sure. You just won't be able to directly access any posted or session
data just by using a variable anymore, you would have to use the arrays
$_GET, $_POST etc. instead.

>In my code I use the global variables extensively,
>and I would not like to rewrite everything. By the way, way it is so
>bad if the register_global is turned on? I do not see any problems in
>the effect that I have described in my first post.

If your scripts are not properly written with register_global s in mind
(and most scripts are not properly written like that), then it's very
easy to overwrite uninitialized internal variables simply by passing a
URL parameter for example:

if (userIsAuthenti cated()) {
$login = TRUE;
}

if ($login) {
// do something "secure"
}

You can find a lot of scripts which are written as bad as this simple
example. This code would at least throw a notice on an unauthenticated
run, but E_NOTICE is disabled by default. Then with register_global s
enabled all it needs is <http://example.com/secure.php?logi n=1to gain
access. It can get even worse if you use cookies and sessions - all
these data from all the different sources will be put into the global
namespace, overwriting each other in case of a name clash. Good luck
with finding out where the value of a variable actually came from ...

register_global s is BAD (broken as designed) and disabled by default for
good reasons. It will be completely removed in PHP 6. If your code still
relies on it, it's time to start rewriting it.

Micha

**Jerry Stuckle** · Jan 14 '08, 08:15 PM

Re: How to call the session variable?

Kurda Yon wrote:

OK. But, what is the problem with the "turned on register_global s"? I
read about the problem here:

Page not found – shsc.info

http://shsc.info/ShittyPHPFeatures

>
And they explain the problem by the following example:
if ($_COOKIE['adminpassword'] == 'secret')
$admin = TRUE;
...
if ($admin) destroy_website ();
>
If somebody load the website like that:
website.php?adm in=1
the website will be destroyed.
>
But I do not understand how the given example is related with the
global variables? The described example will be a problem even if the
$admin is NOT a global variable. Isn't?
>

Because with register_global s on,

http://www.example.com?admin=1

sets $admin to 1 (true).

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

How to call the session variable?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment