PHP converting $_SESSION to $HTTP_SESSION_VARS - Tilted Forum Project Discussion Community

d*d · 05-11-2005, 01:43 AM

I had some scripts which used $_SESSION to register variables to a session, each page had session_start() at the top of the script and everything worked fine, however I now need to change them for php 4.0.6 and simply replacing $_SESSION with $HTTP_SESSION_VARS is not working
why????

manalone · 05-11-2005, 03:35 PM

could it be a register_globals issue?
http://ie.php.net/session_register

SinisterMotives · 06-01-2005, 06:48 AM

$HTTP_SESSION_VARS is not an auto-global, if I remember correctly. That means it is outside the scope of any function or method in your script. You could use register_globals, but that assumes your sysadmin will allow you to set PHP directives. If you can't do that, try putting this line in every function or method that refers to the session variables:

Code:

function my_func() {
global $HTTP_SESSION_VARS;
echo $HTTP_SESSION_VARS['some_var'];
}

WillyPete · 06-01-2005, 09:36 AM

Yeah.
$HTTP_SESSION_VARS is deprecated and should only be used on old versions of php. (pre 4.06) So it seems you're going back in time here...

That and many others were changed when PHP grew up a little.
There were bad security holes and they changed the globals to correct it.
I had a similar problem with legacy code a few months back.
http://www.tfproject.org/tfp/showthr...&highlight=php

Quote:

Originally Posted by WillyPete

F#ckit! GRRRRRRRRRRR!

Note to people new to PHP and having to take care of older code:
You need to turn Register_globals in php.ini to 'on' for older coded variables to work.
Either that or the more secure way of rewriting the variable to meet secure standards of taking script variables in from the URL line. ( $_GET )

Following my advice, if you turn the on you will pretty much set the php security to pre v4 levels.

Here's what I ended up having to do. Using $_GET, instead of some basic variables.
($preset was just another variable that was used to pull stuff from the URL - queries were passed in the url.)

Compare this: (PHPv5)

PHP Code:


			
if ($preset)

    {if (file_exists ($presetsdir.$preset.".preset"))

        {include ($presetsdir.$preset.".preset");

        }

        else

        {$t="no such preset";

        }

    }

To this: (PHPv3)

PHP Code:


			
if(!isset($_GET['preset'])){$preset = "";}

    else{$preset = $_GET['preset'];}

if ($preset)

    {if (file_exists ($presetsdir.$preset.".preset"))

        {include ($presetsdir.$preset.".preset");}

        else

        {$t="no such preset";}

    }

Also, have a look at these:
http://us4.php.net/manual/en/functio...n-register.php

Quote:

If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().

http://www.mcs.vuw.ac.nz/technical/s...ef.session.htm

Quote:

Note: As of PHP 4.1.0, $_SESSION is available as global variable just like $_POST, $_GET, $_REQUEST and so on. Not like $HTTP_SESSION_VARS, $_SESSION is always global. Therefore, global should not be used for $_SESSION.

If track_vars is enabled and register_globals is disabled, only members of the global associative array $HTTP_SESSION_VARS can be registered as session variables. The restored session variables will only be available in the array $HTTP_SESSION_VARS

http://www.alexking.org/blog/2003/10...p-superglobal/

Quote:

I’m using the $_SESSION superglobal in my multi-user tasks development instead of the older $HTTP_SESSION_VARS superglobal. To keep backward compatability, I was creating a $_SESSION variable if one didn’t already exist and just setting it to $HTTP_SESSION_VARS. This way, I could just always look for the $_SESSION variable and still be compatible with older versions of PHP.

If you are running a version of PHP that doesn’t have the $_SESSION variable, I need to declare the $_SESSION variable I created as a global variable within a function if I want to reference the data in the $_SESSION. If I declare the $_SESSION variable as global in a version of PHP that already has the $_SESSION variable, I break it.

One solution would be to write my own code for putting and retrieving data into sessions. I could wrap everything and talk to either the $_SESSION or $HTTP_SESSION_VARS as needed. I’d also have to do this for the $_REQUEST variable and others. This would be a lot of extra code. Actually, I bet I’ve already broken this somewhere. Turning on globals is not an option.

And finally, a page where someone actually writes a walkthrough of the same issue:
http://www.phpbuilder.com/tips/item....6&print_mode=1

05-11-2005, 01:43 AM	#1 (permalink)
d*d Addict	PHP converting $_SESSION to $HTTP_SESSION_VARS I had some scripts which used $_SESSION to register variables to a session, each page had session_start() at the top of the script and everything worked fine, however I now need to change them for php 4.0.6 and simply replacing $_SESSION with $HTTP_SESSION_VARS is not working why????

05-11-2005, 03:35 PM	#2 (permalink)
manalone Once upon a time...	could it be a register_globals issue? http://ie.php.net/session_register __________________ -- Man Alone ======= Abstainer: a weak person who yields to the temptation of denying himself a pleasure. Ambrose Bierce, The Devil's Dictionary.

06-01-2005, 06:48 AM	#3 (permalink)
SinisterMotives Junkie	$HTTP_SESSION_VARS is not an auto-global, if I remember correctly. That means it is outside the scope of any function or method in your script. You could use register_globals, but that assumes your sysadmin will allow you to set PHP directives. If you can't do that, try putting this line in every function or method that refers to the session variables: Code: function my_func() { global $HTTP_SESSION_VARS; echo $HTTP_SESSION_VARS['some_var']; }