Bizarre: Session variable takes on unrelated page variable value

[davestewart]

I've an application where I'm cumulatively adding to the $_SESSION variable as the user completes different actions on the pages.

 

To cut to the root of the matter, I have a session key called 'message', ($_SESSION['message']) which stores a bunch of data to do with an email message.

 

Later in the application, on another page, I have a simple page variable $message which stores a message to present to the user regarding the result of an entirely unrelated process.

 

The crazy thing is, the session variable is being overwritten by the page variable, but NOWHERE in my script have I asked it to do this! Sure, I'm starting the session on page load to access some other data, but nowhere do I mix these two up.

 

Does anyone have any idea what is going on? I'm on PHP 5.2.9.

 

Thanks,

Dave

 

 

[PFMaBiSmAd]

What does a phpinfo(); statement show for register_globals?

 

And if you find that they are turned ON, turn them OFF as soon as possible.

[davestewart]

You know, I had the exact same thought after I sent the mail, and they are indeed on!

 

I've never had a problem with them before, but that's because I've always specified my own host, and this server was setup by someone else. Are they on by default or something?

[PFMaBiSmAd]

They have been OFF by default since April 2002 (7 full years ago) in php4.2 because of the huge security hole of allowing hackers to set session variables by simply putting same name GET parameters on the end of the URL when they visit your site. They have been completely removed in php6.

 

No web host, tutorial, script, book, xAMP package, php distribution, development system, or php developer should still have them on or rely on them at this point in time in the year 2009.

[davestewart]

Yeah, that's what I thought. I will have to find out why the hell they are on in the first place.

 

Thanks for your input, it was really quick and most reassuring.

 

Cheers,

Dave