Unexpected $_SESSION behavior - index as variable on glocal scope???

[andrew2704]

The following simple code demonstrates unexpected results on my setup:

 

File: test1.php:

 

<?php

session_start();

$_SESSION['email'] = "a@a.com";

?>

 

<html>

<body>

<form method="post" action="test2.php">

    <input type="text" name="email" />

    <input type="submit" name="submit" value="Submit" />

</form>

</body>

</html>

 

File: test2.php

 

<?php

session_start();

$email = "Testing 1, 2, 3!";

var_dump($_SESSION);

?>

 

 

This generates the $_SESSION array with idex 'email' == "Testing 1, 2,3!" Is this considered expected behavior?

 

 

 

 

 

[Felex]

if you use register_globals On, this is like it is used to be

[andrew2704]

Thanks - that is very helpful! Just checked and the service provider I am using has register_globals on by default.

 

[PFMaBiSmAd]

Welcome to php's biggest blunder (and the web hosts who continued the blunder by not turning them off when the security problem became known), register_globals.

 

You can also set the $_SESSION variable by submitting your form with the name='email' field or by putting ?email=anything a hacker wants here on the end of the URL when your page is requested. A lot of web sites where taken over because this allows a hacker to set the session variables that define them as an administrator to a script.

 

register_globals were turned off by default in php4.2 in the year 2002, they finally trigger a deprecated error message in php5.3, and they have been completely eliminated in php6. Your web host should have turned them off long 7 years ago. You can and should turn them off yourself in the master php.ini (when you have access to it), in a .htaccess file (when php is running as an Apache Module) or in a local php.ini (when php is running as a CGI application.)