$_SESSION variables

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

$_SESSION variables

Post by Stryks »

I read somewhere around here how a variable is set if appended to a URL (eg. page.php?variable=set) and how this poses a threat if the variable is called.

I am simply wondering if it is possible to set a $_SESSION variable in this way, or if it refers only to stadard vars (eg. $myVar).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

register globals refers to all $_* vars getting parsed into $key=>$value pairs at page start.

with register globals on this is real bad:

Code: Select all

<?php

for($i = 0; $i < 5; $i++)
  $foo .= '@';

echo $foo;

?>
calling that script with

Code: Select all

bar.php?foo=weeeeeeee
will output:

Code: Select all

weeeeeeee@@@@@
not too bad here..

you can take precautions to make sure register_globals doesn't affect your script much.. like ALWAYS initializing variables. All $_* variables should be scrutanized and sanitized, because all of them come from outside your controll area.


but to answer your question about sessions... not directly.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Post by Stryks »

Feyd, thanks for the info, though I'm still a little confused. (I'm doing alot of this today for some reason)

Are you saying that if I initialize the variable then its protected. Actually, this is because variables are initialized to '' right, so any malicious content is lost.

That is Ok, I think I get that .. but what about specifically the $session variable. Just that you say to beware of all $_* variables, but then say they cannot directly affect the $_SESSION ones. At least thats what I think you are saying.

Its just that I have designed my site around the idea that the $_SESSION group were my safe area, so to speak, and as such I have got all of their basic info in there so it travels with them through the site. As an example, I do an IP retrieval (as you helped with earlier - thanks) and unless the IP changes or the session expires, they are still given an auth value to determine what areas they can access.

Keeping in mind that I didnt want to allow users to set themself a level, the auth level is set at login directly from the database, so it cant really be forced by any register_globals issue as far as I can tell.

So, would someone be able to set the $_SESSION value which contains their auth level in the way described? Perhaps the act of calling session_start() would re-initialize the $_SESSION tree anyhow?

Any thoughts? Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

as far as I know, calling session_start() will wipe any register global related problem, but I don't thing a register global'd in variable is allowed to overwrite a superglobal.. although I hate not tested that.
Post Reply