Jump to content

how is this $_POST variable somehow changing into a $_SESSION variable?

bitt3n

By bitt3n
in PHP Coding Help

 Share

Recommended Posts

bitt3n Newbie

bitt3n

Posted
Posted

I have been having problems with this for many hours now, any help would be great.

 

I have a function that accepts $_POST data from a form, and uses it to generate a session containing user data. At the beginning of the script, $_SESSION is empty. At the end of the script, the $_POST and $_SESSION arrays contain the following:

 

post

Array ( [username] => myusername [password] => mypassword [login_temp] => not_public_terminal [submit] => Login [signin_submitted] => TRUE [teacher_id] => 5227 [active] => a00b109d99b0f0d3642b0f3f6099e678 [invitee_email] => myemail@gmail.com )

 

session

Array ( [user_id] => 1 [name] => MyName [username] => myusername [active] => => myemail@gmail.com )

 

$_POST['active'] a 32-char string. $_SESSION['active'] is NULL.

 

If I then navigate to another page on my site and print out the session variables after starting the session, I get

 

post

Array ( )

 

session

Array ( [user_id] => 1 [name] => MyName [username] => myusername [active] => a00b109d99b0f0d3642b0f3f6099e678 => myemail@gmail.com )

 

thus, the active variable is for some reason the 32-character string from the $_POST array, and not the NULL value from the $_SESSION array.

 

I am definitely not setting $_SESSION['active'] = $_POST['active']. I can check the value of $_SESSION['active'] at the end of my script and confirm it is NULL, and then at the beginning of the new page, right after session_start(), I find it has assumed the value of $_POST['active'].

 

Furthermore, I do NOT see this problem if I set $_SESSION['active'] to any value other than NULL. For example, if I set $_SESSION['active'] to the string 'not null', then it retains this value when I navigate to the new page. It is only when $_SESSION['active'] is NULL that it assumes the value of $_POST['active'] from the prior page.

 

I have also tried setting all of the following to NULL at the end of my script

 

$_POST['active'] = NULL;

$HTTP_POST_VARS['active'] = NULL;

$_REQUEST['active'] = NULL;

$HTTP_ENV_VARS['active'] = NULL;

 

This did not fix the problem. I am thoroughly mystified and any suggestions regarding additional steps I might take to identify the problem would be appreciated. Thanks!

Link to comment
Share on other sites
bitt3n Newbie

bitt3n

Posted
  • Author
Posted

nope, the 32-char string is definitely the $_POST['active'] value and not the session id. I set $_SESSION['active'] with

 

$_SESSION['active'] = $row['active'];

 

$row['active'] == NULL

 

I do not otherwise make reference to $_SESSION['active'] in the script.

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

You didn't use code tags, so I can't be bothered to read through your code (its so hard to read when you don't use the tags), but I'd bet a dollar to a donut that you need to turn off register_globals in your php.ini

 

You can also do this in an .htaccess file by setting:

 

php_value register_globals    0

Link to comment
Share on other sites
dclamp Newbie

dclamp

Posted
Posted

You didn't use code tags, so I can't be bothered to read through your code (its so hard to read when you don't use the tags), but I'd bet a dollar to a donut that you need to turn off register_globals in your php.ini

 

You can also do this in an .htaccess file by setting:

 

php_value register_globals    0

ini_set() is another alternative.

Link to comment
Share on other sites
bitt3n Newbie

bitt3n

Posted
  • Author
Posted

sorry, code tagged version below. Unfortunately my shared host doesn't appear to allow me to modify the register_globals setting. I added the line

 

php_value register_globals 0

 

to .htaccess, but ini_get() indicates that register_globals is still on. I've had this problem before trying to modify other php.ini settings.

 

according to my PHP reference, ini_set() cannot be used to change the register_global value because the page receives the arrays before any ini_set() alterations can occur.

 

turning off register_globals may solve the problem, but I would like to know specifically what the problem is anyway, given that I cannot see any reason why the problem should exist for the case $_SESSION['active'] == NULL, but for no other case. Partly I'm curious and want to understand what's going on, rather than just make the problem disappear (which I could do by changing the $_POST variable name).

 

I also noticed recently that if a user signs in using the page in question, and then another (same or different) user signs in while the first user's session is still active, I do not see this problem. It is only when a user signs out and then the next user signs in that I see this problem.

 

I have been having problems with this for many hours now, any help would be great.

 

I have a function that accepts $_POST data from a form, and uses it to generate a session containing user data. At the beginning of the script, $_SESSION is empty. At the end of the script, the $_POST and $_SESSION arrays contain the following:

 

post
Array ( [username] => myusername [password] => mypassword [login_temp] => not_public_terminal [submit] => Login [signin_submitted] => TRUE [teacher_id] => 5227 [active] => a00b109d99b0f0d3642b0f3f6099e678 [invitee_email] => myemail@gmail.com )

session
Array ( [user_id] => 1 [name] => MyName [username] => myusername [active] => => [email]myemail@gmail.com )

 

$_POST['active'] a 32-char string. $_SESSION['active'] is NULL.

 

If I then navigate to another page on my site and print out the session variables after starting the session, I get

 

post
Array ( )

session
Array ( [user_id] => 1 [name] => MyName [username] => myusername [active] => a00b109d99b0f0d3642b0f3f6099e678 => [email]myemail@gmail.com )

 

thus, the active variable is for some reason the 32-character string from the $_POST array, and not the NULL value from the $_SESSION array.

 

I am definitely not setting $_SESSION['active'] = $_POST['active']. I can check the value of $_SESSION['active'] at the end of my script and confirm it is NULL, and then at the beginning of the new page, right after session_start(), I find it has assumed the value of $_POST['active'].

 

Furthermore, I do NOT see this problem if I set $_SESSION['active'] to any value other than NULL. For example, if I set $_SESSION['active'] to the string 'not null', then it retains this value when I navigate to the new page. It is only when $_SESSION['active'] is NULL that it assumes the value of $_POST['active'] from the prior page.

 

I have also tried setting all of the following to NULL at the end of my script

 

$_POST['active'] = NULL;
$HTTP_POST_VARS['active'] = NULL;
$_REQUEST['active'] = NULL;
$HTTP_ENV_VARS['active'] = NULL;

 

This did not fix the problem. I am thoroughly mystified and any suggestions regarding additional steps I might take to identify the problem would be appreciated. Thanks!

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

If you aren't able to change the value, then you have to make sure that you aren't using variable names that are the same as $_SESSION names.

 

For example if you have $_SESSION['name'], you can't have $name, and if you have $_SESSION['username'], you can't have $username.

 

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You can set php settings in a .htaccess file only when php is running as an Apache module (and the web host allows you to change the settings.) You can set php settings in a local php.ini file when php is running as a CGI application (and the web host allows you to change the settings.) How is php integrated on your web server?

 

The sad part about this is that register_globals were turned off in php4.2 in the year 2002 because of this problem and the fact that web sites are getting taken over by hackers because they can set session variables by simply putting GET variables on the end of url's. Register_globals have been completely removed in php6.

 

If your web host does not provide any way of turning off register_globals (six years after they were turned off by default), you should be asking them why they don't allow you to do this and/or you should be looking for a new web host. Even if you make unique names for your post/get/cookie/session and program variable names, as long as your code is on a server with register_globals on and if someone guesses your session variable names, they can set them and become logged on or become an administrator in your script.

Link to comment
Share on other sites
bitt3n Newbie

bitt3n

Posted
  • Author
Posted

ok I figured I'd just install php/mysql on a local machine and verify that this problem only appears when register_globals is on, and this is true, so it is definitely related to register_globals.

 

(My host php is installed as an apache module. my modifications to the .htaccess file do get recognized (I typed some garbage into .htaccess and confirmed it caused a server error), but the change to register_globals does not register. I'll ask the host about this.)

 

The thing is, previous register_globals problems I've had are of the form haku described, where there is some variable $x that conflicts with $_SESSION['x']. In this case, I am not using any variables except $_POST and $_SESSION, so I don't see how register_globals is working its mischief. Also, the fact that the problem only happens when $_SESSION['active'] is NULL and not when it is any other value is puzzling, as is the fact that I don't see the problem when I am updating an existing session (ie, signing in when another user is already signed in, and thus replacing existing values of the session variables), but only when I am creating a new session (ie, after previously executing

 

$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

 

). I hate to just turn off register_globals without learning what the problem was.

Link to comment
Share on other sites
bitt3n Newbie

bitt3n

Posted
  • Author
Posted

ok, I have some interesting news.. I managed to pare down the code to an extremely simple script (just accepts form data and sets a session variable), and STILL reproduce the problem. You can see the problem here:

 

http://kinostat.com/signinfiles/signin_new.php

 

simply click the "sign in" button, then click the refresh page link, and you will see the $_POST variable has somehow transformed into a $_SESSION variable. Click the sign out link, then sign in again, and the same thing happens. Do NOT click the sign out link, and it does NOT happen.

 

the code for the signin and signout files is at

 

http://kinostat.com/signinfiles/signin_new.php.txt

http://kinostat.com/signinfiles/signout.php.txt

 

who can explain this mystery? [scratches forehead]

 

note that it only happens if register_globals is ON. On this host I can change the setting with .htaccess (unlike with my other host), so I can now avoid the problem, but I want to understand it also.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.