newb $_SESSION question

[pfaffster]

I am trying to understand how session variables function.

The following simple two page test produces identical output for 'local' variables of the same name as their session counterparts.

As I understand it so far, this should not be.

 

Why does the following work:

 

 

url to page1: www.somedomain.com/page1.php?first=Harcord&last=Mudd&age=1

 

page1 code:

<?php session_start(); ?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Page1</title>
  </head>
  <body>
  <?php	
        $_SESSION['first']=$_GET['first'];
        $_SESSION['last']=$_GET['last'];
$_SESSION['age']=$_GET['age'];
echo "first: ".$_SESSION['first'].'<br />';
echo "last: ".$_SESSION['last'].'<br />';
        echo "age: ".$_SESSION['age'].'<br />';
   ?>
   <a href="/page2.php">Test</a>
  </body>
</html>

 

page2 code:

<?php session_start(); ?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Page2</title>
  </head>
  <body>
  <?php 		
	echo "first: ".$_SESSION['first'].'<br />';
	echo "Local first: ".$first.'<br />';
	echo "last: ".$_SESSION['last'].'<br />';
	echo "Local last: ".$last.'<br />';
        echo "age: ".$_SESSION['age'].'<br />';
	echo "Local age: ".$age.'<br />';
   ?>
   
  </body>
</html>

 

and the output of page2 after following the Test link:

 

first: Harcord

Local first: Harcord

last: Mudd

Local last: Mudd

age: 1

Local age: 1

 

The Local versions should be null, ...no?

[requinix]

Do you have the register_globals option enabled? That would be why they aren't null. The option tells PHP to automatically create $X variables for every $_SESSION["X"] (and some of the other superglobal arrays).

 

By the way, it is a bad thing and you should never rely on it.

[pfaffster]

Thank you Requinix, that is exactly what it was, Hostgator had it on by default for my account.

 

I thought I was missing something in my understanding, so I was off on a tangent, trying to figure out what that something was.  LOL

 

And yes I completely agree that it's a bad thing to rely on, given what the session variable are used for and am also at a loss as to why that option

exists at all.

[PFMaBiSmAd]

am also at a loss as to why that option exists at all.

 

So are we.

 

[rant]

The only way program variables should be set is if there's code to set them. register_globals has caused a huge amount of wasted time. They have also allowed a lot of web sites to be taken over, since you can set $_SESSION variables and program variables to any value you want, by simply suppling $_GET variables with the same name as the session or program variable. When this problem was first known, back in php4.2 in the year 2002, and register_globals were turned off by default, they should have been permanently and irrevocably tuned off. At that time, only a few thousand or a few 10's of thousands of web sites would have been affected, and those scripts/sites relying on register_globals would have all been updated long ago. However, since web hosts, the WAMP/LAMP packages, and php distributions continued to turn the setting on, you now have a large army of php coders, tutorials, books, schools, ..., created over the last 10 years, that think program variables are supposed to be automatically set from external data and don't even know about the security hole present. There are also a lot more web sites today (in the order of 100's of thousands) that are dependent on register_globals that will break under php5.4 (where this mess has finally been removed) and will now need to be upgraded to not rely on register_globals or will need to forever find a web host that offers an old version of php.

 

Every lazy-way short-cut that was put into php in the early days, that made it easier to turn in 'working' code in a programming class, by saving a little typing or getting the language to do something that the programmer should have been doing only when and where he wanted it happen, have been shown to create problems for people trying to use the language in real life.

[/rant]

[pfaffster]

PFMaBiSmAd, agreed.

 

I've seen this same lazy mode of thinking in other aspects of the IT industry, the notion that relational databases are outdated comes to mind.

Lot's of reinvention of the wheel,  to deal with non-existent problems,  that could be solved with simple application of existing, proven methodology.