Bug#416262: [php-maint] Bug#416262: php4: $_SESSION overwrite by ordinary variables in the case of register_globals = On

sean finney seanius at debian.org
Mon Mar 26 19:44:36 UTC 2007

hi yoshihisa,

i'm not certain, but i think this is "behaviour as designed".

my take on what is happening:

first time: 
 - $foo is referenced, and not found in any super-global
   scope, so is created as a normal global variable.  thus
   first print gives nothing, and when $foo='bar', it is a
   different variable than $_SESSION['foo'], so print $_SESSION['foo']
   gives 'foo'
second time:
 - $foo is found in super-global _SESSION scope, so all
   references to $foo point to this.  so print $foo gives the
   same as $_SESSION['foo'] (foo), and assignments to one go
   to the other.  hence  print _SESSION[foo] gives 'bar'

third time:
 - like second time, foo is found in _SESSION, which now has
   'bar', and like before assignment to $foo goes to _SESSION[foo].

if you can justify why this should be otherwise we can consider leaving
this bug open.  otherwise i'll close it in some time.

but also, just FYI: debian does not recommend nor support the use of
register_globals.  we do not provide security updates for most
vulnerabilities related to register_globals, and don't provide much
support for normal bugs either because of confusion from issues like
this as well as the security implications.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070326/688538d4/attachment.pgp

More information about the pkg-php-maint mailing list