PHP 会话变量快捷方式?
因此,我正在使用 $_SESSION 变量对 PHP 站点进行一些维护。我开始看到一些非常非常奇怪的行为,经过几个小时的调试我才发现了这一点。举个例子,假设我有一个像这样的会话变量设置:
$_SESSION['user']['id'] = 123;
$_SESSION['user']['firstname'] = 'John';
$_SESSION['user']['lastname'] = 'Doe';
在脚本中的某个时刻,使用一些 Zend 类对 MySQL 表进行调用:
$sql = "SELECT whatever FROM table";
$user = $db->fetchRow($sql);
现在,奇怪的地方开始了......在这个数据库调用之后制作完成后,我的 $_SESSION['user'] 数组值突然更改为从数据库调用中检索的对象...
基本上: $_SESSION['user' ] 现在与使用 fetchRow DB 方法检索的对象相同,该方法应该存储在变量 $user 中。我以前从未见过这个。
我唯一能弄清楚的是,因为变量名 $user 与 $_SESSION['user'] 数组键名相同,它的作用就像一个快捷方式或者什么的。
这是某种我以前从未听说过的奇怪的 PHP 会话快捷方式吗?
顺便说一句,我知道直接访问 $_SESSION 变量并不是最佳实践。我没有建立这个网站。我的工作只是修复一些东西并添加一些功能。
更新: 果然,register_globals 已打开。感谢大家的快速帮助。难怪我会看到如此奇怪的行为。
So I'm doing some maintenance on a PHP site that is using $_SESSION variables. I started seeing some very very weird behavior and after hours of debugging I just figured this out. As an example, lets say I have a session variable setup like this:
$_SESSION['user']['id'] = 123;
$_SESSION['user']['firstname'] = 'John';
$_SESSION['user']['lastname'] = 'Doe';
At one point in a script, a call to a MySQL table is made using some Zend classes:
$sql = "SELECT whatever FROM table";
$user = $db->fetchRow($sql);
Now here is where the weirdness starts... After this database call is made, my $_SESSION['user'] array value is all of the sudden changed to be the object that is retrieved from the database call...
Basically: $_SESSION['user'] is now the same as the object that was retrieved using the fetchRow DB method that was supposed to be stored in the variable $user. I've never seen this before.
The only thing I can figure out is because the variable name $user is the same as the $_SESSION['user'] array key name, its acting as like a shortcut or something.
Is this some sort of weird PHP Session shortcuts that I've never heard of before?
On a side note, I know that accessing $_SESSION vars directly is not the best practice. I didn't build this website. My job is just to fix some stuff and add some features.
UPDATE: Sure enough, register_globals is on. Thanks for the quick help guys. No wonder I was seeing such weird behavior.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
听起来您已在 PHP.ini 中将 register_globals 设置为 On。将其关闭应该可以解决此问题。
如果您无权更改 PHP.ini,则讨论替代解决方案
Sounds like you have register_globals set to On in PHP.ini. Turning it off should fix this.
If you don't have access to change PHP.ini an alternative solution is discussed here
检查注册全局变量是否打开。访问 $_SESSION 是安全访问会话数据的唯一方法。
寄存器全局变量是一个老功能,它将全局变量变成局部变量。问题是您无法安全地知道数据来自哪里。您期望从会话中获得的内容可以通过 get、post 或 cookie 变量来设置。所以很容易绕过安全措施。
Check if register globals is turned on. Accessing $_SESSION is the only way to access session data safely.
Register globals is an old feature that turned global variables into local variables. The issue with that was you could not safely know where the data was coming from. Something you expected from a session could be set with a get, post or a cookie variable. So it was very easy to bypass security.