Home » Php » How to call the session variable? – PHP

How to call the session variable? – PHP

Posted by: admin February 22, 2020 Leave a comment

Q(Question):

Hi,

As you have recommended I did not use the session_register(). In one
file I have executed such line:
$_session[‘ex’] = 2.0;

Then, in another file, I have executed the following line:
$ex = 3.0.

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session[‘ex’] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session[‘ex’] variables are the same variable! In other words, I
have to call $_session[‘ex’] just the first time. After I did it once
I can use just $ex (instead of $_session[‘ex’]). Is that true?

A(Answer):

Kurda Yon wrote:

Hi,

As you have recommended I did not use the session_register(). In one
file I have executed such line:
$_session[‘ex’] = 2.0;

Then, in another file, I have executed the following line:
$ex = 3.0.

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session[‘ex’] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session[‘ex’] variables are the same variable! In other words, I
have to call $_session[‘ex’] just the first time. After I did it once
I can use just $ex (instead of $_session[‘ex’]). Is that true?

No. $_SESSION[‘ex’] (NOT $_session[‘ex’] – case IS important!) just
sets the value in the array. Nothing more, nothing less.

$ex is a completely different variable, completely unrelated to the
value in the $_SESSION array.

It’s no different than having $abc and my_array[‘abc’]. Two entirely
different variables.

==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:7L******************************@comcast.com. ..

Kurda Yon wrote:

>Hi,

As you have recommended I did not use the session_register(). In one
file I have executed such line:
$_session[‘ex’] = 2.0;

Then, in another file, I have executed the following line:
$ex = 3.0.

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session[‘ex’] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session[‘ex’] variables are the same variable! In other words, I
have to call $_session[‘ex’] just the first time. After I did it once
I can use just $ex (instead of $_session[‘ex’]). Is that true?

No. $_SESSION[‘ex’] (NOT $_session[‘ex’] – case IS important!) just sets
the value in the array. Nothing more, nothing less.

$ex is a completely different variable, completely unrelated to the value
in the $_SESSION array.

It’s no different than having $abc and my_array[‘abc’]. Two entirely
different variables.


==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

What an idiot! He tested and they are related – that’s a fact. How many
times I told you in other threads the same thing?

I have never called you an idiot in those other threads, but finally there
is a limitation. It’s okay to be an idiot, but don’t come to this forum to
confuse others.

A(Answer):

Your observationb is absolutely accurate!

Yes, you are can use either $_SESSIN["a"] and $a, and they mean the same
thing when globals are registered.

Have said that, it does not mean that I promote it, on the contrary, I have
to tell you that it is absolutely a bad practice, and I expect that this
magic will go away entirely.

A(Answer):

How long have you been using PHP? I only started to read my first PHP book
last weekend. Oh man, you are kidding me… That’s why Hillary’s experience
argument is so weak.

A(Answer):

Trust yr own testing and judgement first, and be very careful what you hear
in this forum.

A(Answer):

If your knowledge violates testing result, go update your knowledge, don’t
dig deeper.

A(Answer):

the OP has been diligently testing and trying, and the best you can do is to
dis his ideas with baseless words. God bless the OP.

A(Answer):

I should have been nicer. There was no point to lash out on you just because
you didn’t know things. Peace!

But facts are facts. Go learn more about session, to be precise how php
handles it. Learn before start teaching.

A(Answer):

What the hell is going on here!?!

Anyway… This happens, when register_globals
(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.
At least, you should manually turn it of either using .htaccess or ini_set()
(latter one might not work, because GPC variables are registered before
ini_set() is executed. I’m too lazy to consult the manual, do it yourself)

Note, that this will force you to use the $_POST/$_GET/$_REQUEST arrays,
although you should REALLY do that any.
Kurda Yon wrote:

Hi,

As you have recommended I did not use the session_register(). In one
file I have executed such line:
$_session[‘ex’] = 2.0;

Then, in another file, I have executed the following line:
$ex = 3.0.

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session[‘ex’] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session[‘ex’] variables are the same variable! In other words, I
have to call $_session[‘ex’] just the first time. After I did it once
I can use just $ex (instead of $_session[‘ex’]). Is that true?

A(Answer):

Peter Pei wrote:

Trust yr own testing and judgement first, and be very careful what you
hear in this forum.

Peter,

You talk/write too much.

A(Answer):

"Peter Pei" <ya****@telus.comschreef in bericht
news:[email protected]
……
.. Learn before start teaching.

>

Please Peter, read this http://www.cs.tut.fi/~jkorpela/usenet/dont.html
especially number 3

…….. You should include some indication of what you are responding to;
either quote a key sentence………..
greetings,

A(Answer):

On 14 Jan, 10:13, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m…@spam yourself.comwrote:

Peter Pei wrote:

Trust yr own testing and judgement first, and be very careful what you
hear in this forum.

Peter,

You talk/write too much.

And quote too little.

Hopefully he will go away soon.

A(Answer):

On Mon, 14 Jan 2008 12:51:23 +0100, Captain Paralytic
<pa**********@yahoo.comwrote:

On 14 Jan, 10:13, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m…@spam yourself.comwrote:

>Peter Pei wrote:

Trust yr own testing and judgement first, and be very careful what you
hear in this forum.

Peter,

You talk/write too much.

And quote too little.

Hopefully he will go away soon.

Amazingly, he managed to get into the filter in 2 days. Now if everyone
kindly stops responding to him I’m a happy bunny 🙂

Rik Wasmus

A(Answer):

Luuk wrote:

"Peter Pei" <ya****@telus.comschreef in bericht
news:BRBij.[email protected]
…..
. Learn before start teaching.

Please Peter, read this http://www.cs.tut.fi/~jkorpela/usenet/dont.html
especially number 3

……. You should include some indication of what you are responding to;
either quote a key sentence………..

greetings,

Don’t worry. He doesn’t believe in following netiquette. I’ve already
plonked him – as have a lot of people. I don’t even see his messages
any more.

Much nicer.


==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

Rik Wasmus wrote:

On Mon, 14 Jan 2008 12:51:23 +0100, Captain Paralytic
<pa**********@yahoo.comwrote:

>On 14 Jan, 10:13, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m…@spa myourself.comwrote:

>>Peter Pei wrote:
Trust yr own testing and judgement first, and be very careful what you
hear in this forum.

Peter,

You talk/write too much.

And quote too little.

Hopefully he will go away soon.

Amazingly, he managed to get into the filter in 2 days. Now if everyone
kindly stops responding to him I’m a happy bunny 🙂

You, too, Rik? It’s almost a record here.


==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

..oO(Peter Pei)

>What an idiot! He tested and they are related – that’s a fact. How many
times I told you in other threads the same thing?

How many times you were told that you’re wrong? $_SESSION[‘foo’] and
$foo are only related if register_globals is turned on. A simple test:

<?php
session_start();

if (isset($_GET[‘show’])) {
print ‘<pre>’;
print_r($_SESSION);
var_dump($foo);
var_dump($bar);
print ‘</pre>’;
} else {
$_SESSION[‘foo’] = 23;
$_SESSION[‘bar’] = 42;
}
print "<a href='{$_SERVER[‘PHP_SELF’]}?show’>next</a>";
?>

After calling the script and clicking the link, the result with
register_globals = ON will be:

Array
(
[foo] =23
[bar] =42
)
int(23)
int(42)

This is what the OP got. Now the same thing with register_globals = OFF:

Array
(
[foo] =23
[bar] =42
)

Notice: Undefined variable: foo in …
NULL

Notice: Undefined variable: bar in …
NULL

This is how it should be on a properly configured system.

Micha

A(Answer):

You are obviously right, and that’s exactly what I have said all the time in
every threads I partricipated. Did you get yourself familiar with the
context before you jump in?

If you did, you could have saved yourself some precious time instead of
coming up with sample code that we all know. Jerry’s problem is that he
insisted that $_SESSION[‘a’] and $a are unrelated regardless whether
register_global is on.

A(Answer):

That’s your lost not mine

A(Answer):

Aman!

A(Answer):

On 14 Jan, 09:59, Jonas Werres <jo…@example.orgwrote:

Kurda Yon wrote:

Hi,

As you have recommended I did not use the session_register(). In one
file I have executed such line:
$_session[‘ex’] = 2.0;

Then, in another file, I have executed the following line:
$ex = 3.0.

And than I have noticed that the previous assignment is seen
everywhere (on other pages). So, as far as I understood, after the
usage of $_session[‘ex’] = 2.0, the $ex variable becomes a session
variable. Moreover, $ex and
$_session[‘ex’] variables are the same variable! In other words, I
have to call $_session[‘ex’] just the first time. After I did it once
I can use just $ex (instead of $_session[‘ex’]). Is that true?

What the hell is going on here!?!

Anyway… This happens, when register_globals
(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.
At least, you should manually turn it of either using .htaccess or ini_set()
(latter one might not work, because GPC variables are registered before
ini_set() is executed. I’m too lazy to consult the manual, do it yourself)

Note, that this will force you to use the $_POST/$_GET/$_REQUEST arrays,
although you should REALLY do that any.

Please do not top post.

A(Answer):

..oO(Peter Pei)

>You are obviously right, and that’s exactly what I have said all the time in
every threads I partricipated. Did you get yourself familiar with the
context before you jump in?

Sure I do, even if all your postings are without any context. You also
claimed that register_globals is broken in PHP 5.2.5, which in fact it
isn’t.

>If you did, you could have saved yourself some precious time instead of
coming up with sample code that we all know. Jerry’s problem is that he
insisted that $_SESSION[‘a’] and $a are unrelated regardless whether
register_global is on.

Wrong again. Do _you_ read what you’re replying to? He said:

| It used to – there is a parm in the php.ini file called
| register_globals.
|
| In earlier versions, this was enabled and would do what you want.
| However, this is a huge security risk and has been disabled by default
| in recent versions.

The rest of the sub thread was based on that, no need to repeat it over
and over again. Additionally register_globals are dead, so it makes
perfect sense to say that $_SESSION[‘foo’] and $foo are not related in
any kind, because that’s how it is by default (since years!) and on
every properly configured system.

Micha

A(Answer):

I wouldn’t bother Michael, the guy is a dick-head. He posts completly

out of context and never talks sense. He has a way over inflated sense
of his own worth and usefulness.

I have to admit, if his posts have content worth reading (and unfortunately
he posts many which have not), he is right. Which is something postings in
this group often lack.
He might be quite annoying, but those postings are easy to skip. The other
ones are sometimes the only correct responses to a question.

A(Answer):

On 14 Jan, 17:31, Jonas Werres <jo…@example.orgwrote:

I wouldn’t bother Michael, the guy is a dick-head. He posts completly
out of context and never talks sense. He has a way over inflated sense
of his own worth and usefulness.

I have to admit, if his posts have content worth reading (and unfortunately
he posts many which have not), he is right. Which is something postings in
this group often lack.
He might be quite annoying, but those postings are easy to skip. The other
ones are sometimes the only correct responses to a question.

But how do you tell. There is never any context to the post as he
never quotes anything and if his good posts to his bad ones are in a
ratio of 1 to 99, the chances are better that you have a crap post
than a good one.

A(Answer):

Anyway… This happens, when register_globals

(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.

Will I be able to use global variables after I turn off the
register_globals? In my code I use the global variables extensively,
and I would not like to rewrite everything. By the way, way it is so
bad if the register_global is turned on? I do not see any problems in
the effect that I have described in my first post.

A(Answer):

Kurda Yon wrote:

>Anyway… This happens, when register_globals
(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.

Will I be able to use global variables after I turn off the
register_globals? In my code I use the global variables extensively,
and I would not like to rewrite everything. By the way, way it is so
bad if the register_global is turned on? I do not see any problems in
the effect that I have described in my first post.

Global variables (which you shouldn’t use) will still work.
register_globals just affects $_SESSION, $_COOKIE, $_GET and $_POST.

And yes, you should think about rewriting your code to get rid of global
variables. They make troubleshooting your code and changes much harder.


==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

OK. But, what is the problem with the "turned on register_globals"? I
read about the problem here:
http://shsc.info/ShittyPHPFeatures

And they explain the problem by the following example:
if ($_COOKIE[‘adminpassword’] == ‘secret’)
$admin = TRUE;
….
if ($admin) destroy_website();

If somebody load the website like that:
website.php?admin=1
the website will be destroyed.

But I do not understand how the given example is related with the
global variables? The described example will be a problem even if the
$admin is NOT a global variable. Isn’t?

A(Answer):

..oO(Kurda Yon)

>Anyway… This happens, when register_globals
(http://de.php.net/register_globals) is active (see first comment), which
is also a sure sign, that you should really change your hoster because of
incompetence.

Will I be able to use global variables after I turn off the
register_globals?

Sure. You just won’t be able to directly access any posted or session
data just by using a variable anymore, you would have to use the arrays
$_GET, $_POST etc. instead.

>In my code I use the global variables extensively,
and I would not like to rewrite everything. By the way, way it is so
bad if the register_global is turned on? I do not see any problems in
the effect that I have described in my first post.

If your scripts are not properly written with register_globals in mind
(and most scripts are not properly written like that), then it’s very
easy to overwrite uninitialized internal variables simply by passing a
URL parameter for example:

if (userIsAuthenticated()) {
$login = TRUE;
}

if ($login) {
// do something "secure"
}

You can find a lot of scripts which are written as bad as this simple
example. This code would at least throw a notice on an unauthenticated
run, but E_NOTICE is disabled by default. Then with register_globals
enabled all it needs is <http://example.com/secure.php?login=1to gain
access. It can get even worse if you use cookies and sessions – all
these data from all the different sources will be put into the global
namespace, overwriting each other in case of a name clash. Good luck
with finding out where the value of a variable actually came from …

register_globals is BAD (broken as designed) and disabled by default for
good reasons. It will be completely removed in PHP 6. If your code still
relies on it, it’s time to start rewriting it.

Micha

A(Answer):

Kurda Yon wrote:

OK. But, what is the problem with the "turned on register_globals"? I
read about the problem here:
http://shsc.info/ShittyPHPFeatures

And they explain the problem by the following example:
if ($_COOKIE[‘adminpassword’] == ‘secret’)
$admin = TRUE;

if ($admin) destroy_website();

If somebody load the website like that:
website.php?admin=1
the website will be destroyed.

But I do not understand how the given example is related with the
global variables? The described example will be a problem even if the
$admin is NOT a global variable. Isn’t?

Because with register_globals on,

http://www.example.com?admin=1

sets $admin to 1 (true).

==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

>

Because with register_globals on,

http://www.example.com?admin=1

sets $admin to 1 (true).

It is confusing because if I think about register_globals, I think
that it should be something to do with the global variables. But it
seems to be not related with the global variables. In the above
example if $admin is NOT a global variable, we still will have the
described problem. So, it is no matter if $admin is global or not. The
matter is that the script can take variables from the address line.
And with the "register_global off" we force the script NOT to take the
values from the address line. But it seems to me only a partial
solution, because hacker will try to pass the value of the $admin
through the form variables (or it is impossible?). So we should to
tell the script not to accept the form variables?

A(Answer):

Kurda Yon wrote:

>Because with register_globals on,

http://www.example.com?admin=1

sets $admin to 1 (true).

It is confusing because if I think about register_globals, I think
that it should be something to do with the global variables. But it
seems to be not related with the global variables. In the above
example if $admin is NOT a global variable, we still will have the
described problem. So, it is no matter if $admin is global or not. The
matter is that the script can take variables from the address line.
And with the "register_global off" we force the script NOT to take the
values from the address line. But it seems to me only a partial
solution, because hacker will try to pass the value of the $admin
through the form variables (or it is impossible?). So we should to
tell the script not to accept the form variables?

Even if they pass it through a form it won’t make any difference. With
register_globals off, the value will only be available in
$_POST[‘admin’] or $_GET[‘admin’], depending on whether the method is
POST or GET. $admin is not changed.


==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

A(Answer):

But how do you tell. There is never any context to the post as he

never quotes anything

Oh come on. Is there still anyone left whose newsreader does not display
trees?

A(Answer):

On 15 Jan, 12:59, Jonas Werres <jo…@example.orgwrote:

But how do you tell. There is never any context to the post as he
never quotes anything

Oh come on. Is there still anyone left whose newsreader does not display
trees?

But try tracking those trees when there are 15 other posts in between

A(Answer):

On Tue, 15 Jan 2008 13:59:08 +0100, Jonas Werres <jo***@example.orgwrote:

>But how do you tell. There is never any context to the post as he
never quotes anything

Oh come on. Is there still anyone left whose newsreader does not display
trees?

Yes, I have a treeview, no, I usually don’t feel like going manually
stepping back to see the exact previous post. On top of that, some message
may be dropped/lost on certain newsservers, you cannot count on the fact
that everybodies newsserver carries exactly all articles. Some newsservers
are more reliable then others in that aspect, and yes, as soon as I
realise my newsserver drops to much articles, I’ll switch. It’s a pain
though.

For us more intensive usenet users (hmmm alliteration), we usually have
fine mechanisms to step though ‘unread articles’ or ‘new messages in
watched threads’. By simply opening my newsreader and using the spacebar I
can cycle through all new messages. If they have context, I usually
remember what the topic is about and/or can deduce what it’s about by the
quote. Being forced to step back and reading the previous article, or
perhaps even the N preceding articles as it is an ongoing conversation,
wastes terrible amounts of my time. I do enjoy answering questions/giving
input here, but as long as I don’t get paid, make it easy for me (on an
hourly rate it’s not my problem having to spend more time :P). People who
insist on not quoting even after they’ve been pointed out netiquette will
get into the kill filter. Too bad for them, but maybe they don’t care. I’d
rather help people who aren’t to lazy to spend the minimum amount of
effort to make it easy to give them an answer. Also, to err is human, even
the most carefull and knowledgable contributors to this group sometimes
assumes or overlooks something or just makes a plain error, and ops may
have left out vital information. So even in the answers to OP’s its
advisable te leave some sort of context as a quote in the post, so that a
possible correction/discussion/remark by others is still easily possible.

As a final note: netiquette is there for a reason. It’s the combined
experience of regular/intensive usenet users over years. Even if something
seems more convenient to you at some point, really think about why one
assumes one knows better then thousands of others. And don’t use that old
non-argument:’but usenet and usenet readers have evolved’. If one doesn’t
like the usenet way maybe online HTTP forums are the way to go (guaranteed
the same content for every user, no need to quote as all earlier content
of posts is allready visible on the same page, etc.), or even IRC (short
questions, hopefully short answers, and if one has missed the context a
simple question what that is is usually enough for someone in the channel
to give a short summary).

[/rant] —
Rik Wasmus