darkhappy Posted March 30, 2008 Share Posted March 30, 2008 I am getting this notification on my pages when running scripts: Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0 I have done some research and as far as I can tell I am just using normal $_SESSION[''] variables, and forms to post data to $_REQUEST statements on other pages which are then stored into variables. Is this the correct (secure) way to go about it? I assume I will just disable the warning and be Ok but want to make sure I am not going down the entirely wrong road since I am new to PHP. thanks in advance.... - dhappy Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/ Share on other sites More sharing options...
wildteen88 Posted March 30, 2008 Share Posted March 30, 2008 This is a bug in PHP, example: session_start(); $_SESSION['test'] = null; $test = 'foo'; Even if register_globals is off PHP will report the session side-effect error. You can safely disable the session.bug_compat_42 setting by changing it in the php.ini, or add: <?php ini_set('session.bug_compat_42', 0); ?> To your script. Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504792 Share on other sites More sharing options...
darkhappy Posted March 30, 2008 Author Share Posted March 30, 2008 cool thanks! Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504796 Share on other sites More sharing options...
PFMaBiSmAd Posted March 30, 2008 Share Posted March 30, 2008 This error is triggered when you have a session variable and a program/post/get/cookie variable with the same name. This is after all a bug associated with the register globals code, even when the setting is turned off. I am guessing that the error message and the side effect mentioned are not clearly explained because the whole register globals issue was a huge blunder and an embarrassing security hole. Try changing the name of your session variable so that it is not the same as any other program/post/get/cookie variable name. Don't use $_REQUEST, use the actual $_POST (or $_GET of $_COOKIE) variable. Using $_REQUEST, because it combines post/get/cookie will cause inadvertent program operation if you add a same name variable, such as a cookie after you are already using it for a post variable. Using $_REQUEST also removes one level of validation, because if you were only expecting data via a form post, some hacker could be sitting there changing values on the end of a url and submitting to your code using $_GET. By using $_REQUEST your code would happily keep accepting and operating on the $_GET values just the same as if they were $_POST values from your form. However, if you were using $_POST, your code would ignore the $_GET values the hacker was sending. Link to comment https://forums.phpfreaks.com/topic/98636-sessionsglobals-question/#findComment-504824 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.