[SOLVED] variables somehow becoming references to session variables

[inkswamp]

I'm somewhat new to PHP. I've done programming before and loads of Web development, but PHP is new territory for me. So far, I love it, but I've encountered something that appears to be a bug of some sort. I managed to track it down and fix it but I'd love to have a better understanding of what just happened because right now, I'm still stumped.

 

I have a site that registers some values in the $_SESSION array when a user logs in. One of them is ['id'] which identifies a user by an assigned number in the database. In some of the subsequent code, I grab that value from database query like this:

 

(run a select query...
get the results and iterate through each row grabbing the user id.)
$id = $row['id'];

 

Amazingly, $_SESSION['id'] ends up getting changed inadvertently (incremented by 7 weirdly enough) despite the fact that nowhere in the code am I explicitly referencing it after that point. I do work with $id however.

 

I tracked this issue down to that line and changed it to this:

 

$reqid = $row['id'];

 

Now, the value of $_SESSION['id'] remains unchanged.

 

Clearly, I don't understand some of the deeper things going on here and I would like to understand what I just did. My guess is that $id somehow ends up as a reference/pointer to the value of $_SESSION['id'] but I have no idea how or why.

 

 

[Ken2k7]

Can you possibly post the code? I can't debug anything from that.

[PFMaBiSmAd]

The only time that variables are "magically" populated by same name post/get/session/cookie variables are when register_globals are on. If you use a phpinfo(); statement, you will find that the register_globals setting is ON. You should turn it off for several reasons - it is a huge security hole (a hacker can set your session variables to anything he wants), register_globals were turned off by default in php4.2 in the year 2002 (no code or hosting after that point in time should have relied on them or tuned them on), and they have been completely removed in php6.

[inkswamp]

At the top of the script in question I do this, grabbing some form and session values.

 

$thecode = $_REQUEST['thecode'];
$thename = $_REQUEST['thename'];
$user_id = $_SESSION['id'];
$user_name = $_SESSION['username'];

 

Later, after a bunch of unrelated stuff that does not reference any of these, I do this with some of these values.

 

$request = "SELECT `url`,`url_title`,`id` FROM `webitems` WHERE `category_id` = $thecode AND `user_id` = '$user_id';";

$results = mysql_query($request);

if (!mysql_num_rows($results)) {
	$fullHTML .= "<i>Nothing found!</i>";
} else {
	while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
		// for some reason this was causing the $_SESSION['id'] to increment +7 ???
		//$id = $row['id']; 
		$reqid = $row['id'];
		$url = $row['url'];
		$title = $row['url_title'];
		$fullHTML .= "<div id=\"link_id_$reqid\"><a class=\"edit_link\" href=\"javascript:editLink('$reqid')\"> [ edit ] </a><a class=\"standard_link\" href=\"$url/\">$title</a></div>";
        }
}

 

While debugging, I was reduced to commenting out code line-by-line once I had a rough idea where it was happening. During that, I discovered that the line starting with "$id = $row..." was the source of the $_SESSION['id'] being changed. Commenting it out completely stopped it from happening. The rest of the code ran without issue and the session value was left unchanged. Changing that line to the alternate version above fixed the issue.

 

[inkswamp]

The only time that variables are "magically" populated by same name post/get/session/cookie variables are when register_globals are on. If you use a phpinfo(); statement, you will find that the register_globals setting is ON.

 

Very interesting. Since my post about this, I have run the original code on a different install of PHP and it did not produce the same problem. I suspect that what you're talking about is the source of the issue.

 

The phpinfo on the problem install shows "register_globals On". (Sadly, I don't have access to change that globally, but I believe I've read about altering those settings on a per-page basis. I'll look into that.)

 

Anyway, thank you for the help. Not sure where this whole thing sits on the "dumb question"-o-meter, but I appreciate the explanation. 

[PFMaBiSmAd]

If php is running as an Apache module, you should be able to (depending on if your web host permits the setting to be changed) change the register_globals setting in a .htaccess file. If php is running as a cgi application, you should be able to (depending on if your web host permits the setting to be changed) change the register_globals setting in a local php.ini file.

 

If your web host does not allow the setting to be changed and they won't turn it off on your account, you should consider looking for a new host if you are expecting session variables to be untouchable by the visitors (hackers) to your site because register_globals allows anyone to set session variables to anything they want by simply typing GET parameters on the end of the URL when they visit your site.

[inkswamp]

If php is running as an Apache module, you should be able to (depending on if your web host permits the setting to be changed) change the register_globals setting in a .htaccess file.

 

Just tried this out and it worked. Thank you again for the help!