Annoying PHP session problem

[chrischen]

OK for some reason whenever I visit my partner.php file it sets the session variable $_SESSION['partnerid'] to the $_GET['id'] value even though is NO code in the source that says that. Even odder, it only does this if the $_SESSION['partnerid'] is already set.

 

For example if I visit the partner.php?id=5 with my $_SESSION['partnerid'] = 2 it will set the $_SESSION['partnerid'] = 5 for some reason.

However if my $_SESSION['partnerid'] is empty it will not set anything.

 

 

This is the ONLY code on the page that sets session variables... So I don't know why it keeps doing it.

if(isset($_POST['setpartneridform'])) {

[database query to get the name and ID based on the ID specified from the form]

$_SESSION['name'] = $query['partnername'];

$_SESSION['partnerid'] = $query['partnerID']; //I set this equal to 'asdf' except when I load partner.php?id=5 it still equals 5, not asdf

setcookie("name", $query['partnername'], time()+31536000, "/");

setcookie("partnerID", $query['partnerID'], time()+31536000, "/");

mysql_free_result($query);

$success = '<br /><span style="color:#00CC00">Yay.</span>';

}

 

I've tested it and it's not setting the $_SESSION variable because of this code. I tried changing $_SESSION['partnerid'] = asdf for the code above but when I access partner.php?id=whatever it returns whatever, not 5. This has been bugging me PLEASE HELP.

 

 

[priti]

hi,

 

can you check $query['partnerID'] ..... this variable what it return i mean check your query once.It might be returning 5 hence it every time get set to 5 and write your code

 

if(!isset($_REQUEST['partner_id'])) //if not found in $_GET

{

execute your query

}

 

Regards

 

[chrischen]

It doesn't return 5 everytime. I know this because if I post the form it correctly sets the session. However when I just load the page it changes the session to the $_GET['id'] parameter which it shouldn't be doing. When I just load the page it doesn't even run that chunk of code. In fact I deleted that chunk of code and it was still doing it.

 

However if I clear my session variable and load the pages it does not set the session to the GET variable.

 

I did some more testing and noticed that (this is with the $_SESSION['partnerid'] hardcoded to equal 'set oid' when the form is posted) when I post the form and have it set the session it will set it to 'set oid' like I have it but once the session is set, and I refresh the page or enter a new value for GET['id'] in the url it will reset it to the GET value.

[chrischen]

here's a link to the partner.php . I've isolated it from the site just so I can figure this out. http://www.shopwisely.org/partners.php?id=1

 

right now only id = 1 and 2 are in the database. ANything else will not return a record, however for some odd reason it will still set the session variable. This means the database query can't be causing it because the database query should not even return a number. The session is printed at the top left corner for your convenience.

[chrischen]

Ok i solved the problem by changing the name of the session variable, but if anyone knows why it's doing this I'm still really curious to know.

[PFMaBiSmAd]

Actually this is an annoying register globals problem. When you set the cookie that has the same name as the session variable, it changes the session variable because thanks to register globals they are mapped to the same variable.

 

Register globals, in addition to being a security problem because they allow external post/get/cookie values to replace session variables, has the unfortunate side affect of changing other same name variables when you don't want them to be the same.

 

[rant]

Sadly, these problems were known back in 2002 and register globals were turned off by default in php4.2. No one and no hosting company should have turned them on unless absolutely necessary (to allow existing code to work while it was being rewritten to not rely on them.) Unfortunately, most hosting companies simply globally turned register globals back on, rather than requiring individual accounts to turn them on only when needed. And here we are almost 6 years later still seeing problems caused by register globals. Thank goodness they have finally been eliminated in php6 (just think how much faster the php language will run not having to do all that extra processing.)

[/rant]