Jump to content

Bizarre: Session variable takes on unrelated page variable value


davestewart

Recommended Posts

I've an application where I'm cumulatively adding to the $_SESSION variable as the user completes different actions on the pages.

 

To cut to the root of the matter, I have a session key called 'message', ($_SESSION['message']) which stores a bunch of data to do with an email message.

 

Later in the application, on another page, I have a simple page variable $message which stores a message to present to the user regarding the result of an entirely unrelated process.

 

The crazy thing is, the session variable is being overwritten by the page variable, but NOWHERE in my script have I asked it to do this! Sure, I'm starting the session on page load to access some other data, but nowhere do I mix these two up.

 

Does anyone have any idea what is going on? I'm on PHP 5.2.9.

 

Thanks,

Dave

 

 

You know, I had the exact same thought after I sent the mail, and they are indeed on!

 

I've never had a problem with them before, but that's because I've always specified my own host, and this server was setup by someone else. Are they on by default or something?

They have been OFF by default since April 2002 (7 full years ago) in php4.2 because of the huge security hole of allowing hackers to set session variables by simply putting same name GET parameters on the end of the URL when they visit your site. They have been completely removed in php6.

 

No web host, tutorial, script, book, xAMP package, php distribution, development system, or php developer should still have them on or rely on them at this point in time in the year 2009.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.