darkhappy Posted March 30, 2008 Share Posted March 30, 2008 I am getting this notification on my pages when running scripts: Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0 I have done some research and as far as I can tell I am just using normal $_SESSION[''] variables, and forms to post data to $_REQUEST statements on other pages which are then stored into variables. Is this the correct (secure) way to go about it? I assume I will just disable the warning and be Ok but want to make sure I am not going down the entirely wrong road since I am new to PHP. thanks in advance.... - dhappy Quote Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/ Share on other sites More sharing options...
wildteen88 Posted March 30, 2008 Share Posted March 30, 2008 This is a bug in PHP, example: session_start(); $_SESSION['test'] = null; $test = 'foo'; Even if register_globals is off PHP will report the session side-effect error. You can safely disable the session.bug_compat_42 setting by changing it in the php.ini, or add: <?php ini_set('session.bug_compat_42', 0); ?> To your script. Quote Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504792 Share on other sites More sharing options...
darkhappy Posted March 30, 2008 Author Share Posted March 30, 2008 cool thanks! Quote Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504796 Share on other sites More sharing options...
PFMaBiSmAd Posted March 30, 2008 Share Posted March 30, 2008 This error is triggered when you have a session variable and a program/post/get/cookie variable with the same name. This is after all a bug associated with the register globals code, even when the setting is turned off. I am guessing that the error message and the side effect mentioned are not clearly explained because the whole register globals issue was a huge blunder and an embarrassing security hole. Try changing the name of your session variable so that it is not the same as any other program/post/get/cookie variable name. Don't use $_REQUEST, use the actual $_POST (or $_GET of $_COOKIE) variable. Using $_REQUEST, because it combines post/get/cookie will cause inadvertent program operation if you add a same name variable, such as a cookie after you are already using it for a post variable. Using $_REQUEST also removes one level of validation, because if you were only expecting data via a form post, some hacker could be sitting there changing values on the end of a url and submitting to your code using $_GET. By using $_REQUEST your code would happily keep accepting and operating on the $_GET values just the same as if they were $_POST values from your form. However, if you were using $_POST, your code would ignore the $_GET values the hacker was sending. Quote Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504824 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.