$_REQUEST
If you deploy php code and cannot control whether register_globals is off, place this snippet in your code to prevent session injections:
<?php
if (isset($_REQUEST['_SESSION'])) die("Get lost Muppet!");
?>
$_SESSION
$HTTP_SESSION_VARS [obsoleta]
$_SESSION -- $HTTP_SESSION_VARS [obsoleta] — Variáveis de sessão
Descrição
Um array associativo contendo variáveis de sessão disponíveis para o atual script. Veja a documentação das funções de Sessão para mais informação em como usar isto.
$HTTP_SESSION_VARS contém a mesma informação inicial, mas não é uma superglobal. (Note que $HTTP_SESSION_VARS e $_SESSION são diferentes variáveis e que o PHP manuseia-as diferentemente)
Changelog
| Versão | Descrição |
|---|---|
| 4.1.0 | Introduzida $_SESSION que torna obsoleta a $HTTP_SESSION_VARS. |
Notas
Nota:
Esta é uma 'superglobal', ou global automática, variável. Isto simplismente significa que ela está disponível em todos escopos pelo script. Não há necessidade de fazer global $variable; para acessá-la dentro de uma função ou método.
add a note
User Contributed Notes
$_SESSION - [6 notes]
Dave ¶
3 years ago
bohwaz ¶
4 years ago
Please note that if you have register_globals to On, global variables associated to $_SESSION variables are references, so this may lead to some weird situations.
<?php
session_start();
$_SESSION['test'] = 42;
$test = 43;
echo $_SESSION['test'];
?>
Load the page, OK it displays 42, reload the page... it displays 43.
The solution is to do this after each time you do a session_start() :
<?php
if (ini_get('register_globals'))
{
foreach ($_SESSION as $key=>$value)
{
if (isset($GLOBALS[$key]))
unset($GLOBALS[$key]);
}
}
?>
pike-php at kw dot nl ¶
2 years ago
When accidently assigning a unset variable to $_SESSION, like
$_SESSION['foo'] = $bar
while $bar was not defined, I got the following error message:
"Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. "
The errormessage was quite unrelated and got me off-track. The real error was, $bar was not defined.
charlese at cvs dot com dot au ¶
3 years ago
I was having troubles with session variables working in some environments and being seriously flaky in others. I was using $_SESSION as an array. It works properly when I used $_SESSION as pointers to arrays. As an example the following code works in some environments and not others.
<?php
//Trouble if I treate $form_convert and $_SESSION['form_convert'] as unrelated items
$form_convert=array();
if (isset($_SESSION['form_convert'])){
$form_convert=$_SESSION['form_convert'];
}
}
?>
The following works well.
<?php
if (isset($_SESSION['form_convert'])){
$form_convert = $_SESSION['form_convert'];
}else{
$form_convert = array();
$_SESSION['form_convert']=$form_convert;
}
?>
jherry at netcourrier dot com ¶
4 years ago
You may have trouble if you use '|' in the key:
$_SESSION["foo|bar"] = "fuzzy";
This does not work for me. I think it's because the serialisation of session object is using this char so the server reset your session when it cannot read it.
To make it work I replaced '|' by '_'.
Steve Clay ¶
4 years ago
Unlike a real PHP array, $_SESSION keys at the root level must be valid variable names.
<?php
$_SESSION[1][1] = 'cake'; // fails
$_SESSION['v1'][1] = 'cake'; // works
?>
I imagine this is an internal limitation having to do with the legacy function session_register(), where the registered global var must similarly have a valid name.