You are invited to Log in or Register a free Frihost Account!

PHP question, $_SESSION[] gets changes to by $_POST var

My server is acting really wierd. I'm running php5.1.2 with Register Globals = On.
I set some $_SESSION variables when the user logs in. But if the user submits a form the $_SESSION var values get changed to the $_POST values. the post variables do have some of the same names as the $_SESSION vars do (IE: $_SESSION['user_name'], $_POST['user_name'], and regular $user_name ). My first guess would be that its because Register Globals is turned 'On'. But I still always write my variables strict. I'm always really careful of writing out the full variable type ( $_POST, $_GET, and $_SESSION). So I would think that they would be safe.

This is whats happening in my code:

1. at login I set the admin_level in $_SESSION['admin_level']

2. if that admin wants to create a new admin account for someone else (granted he has that privilege level) he submits a form with the $_POST['admin_level'] variable in it.

3. I do a lot of processing and validating with the variables before they are inserted into the db. so I save the $_POST vars in a regular var first. ($admin_level = $_POST['admin_level']; ) I only do this because it makes it a lot shorter type repetatively. I'm guessing that this is where php thinks that I'm trying to change the $_SESSION['admin_level'].

I just set this server up on a brand new MacBook Pro. my previous server was configure the exact same way, with Register Globals turned On. In fact I think that I just copied the php.ini from my other server into the new one. But my other server never had this problem. is this a problem with my server configuration in my php.ini? I don't understand why its doing it now when its never done it before on another server similarly configured.
It's because you have register globals on. They are both becoming $admin_level.
How to fix: Turn register_globals off. It's a huge security risk.
Stubru Freak
If you use apache, and you don't want to turn off register globals for your whole site (because some old scripts still need it), you can turn it off for one directory by placing this in your .htaccess file:
php_flag register_globals off

Also consider using:
php_flag display_errors on
php_value error_reporting 2047

to also display notices in your code, they reveal a lot of possible mistakes.

Additionally, some people don't like these two, but they have their advantages:
php_flag short_open_tag off

So php doesn't parse an xml prolog.
php_flag magic_quotes_gpc off

Because not all input is saved in a database.
Surely, the most obvious answer would be to use slightly different names for the variables such as $adminlevel = $_SESSION['admin_level']. There won't be any clashes that way and you won't have to turn global variables off or mess about in any other way.
Yeah, that is what I ended up doing to fix this app. I've just always used the same names for $_POST variables as I do for my db field names. that way when I'm dealing with tons of variables and queries, I don't get confused about what gets inserted where.
Related topics
PHP question
AJAX tutorial [2nd part now updated]
A quick PHP Question! You know the answer! Answer ASAP .
Ton of trouble with Mutiple values in form
MySQL and PHP Question
php login (with flash)
PHP Member System (using FOPEN)..
my first php login w/o database
PHP issues >.>
Session not sticking from page to page.
$_POST on Includes
PHP question about passing variables (noob)
PHP, AJAX and setInterval. Can't make a stopwatch
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

© 2005-2011 Frihost, forums powered by phpBB.