As I understand it, the "register variables" operation occurred before execution began on your script. It involved copying data items from your form ($_POST), from the request URL ($_GET) and from your session ($_SESSION) so that you could simply refer to them by name in your programs. The drawback was that someone could simply modify the URL to reference one of your pages adding a variable to the request, and overlay variables in your session, thereby modifying the execution of your programs, and driving a truck thru any security you may have assumed was there. The reason you want to keep register globals off becomes more obvious, and when you look for variables in the $_POST array or the $_GET array or the $_SESSION array, you can be reasonably sure it is coming from where you expected it. This still doesn't protect you from "cross-site posting", but certainly enhances your ability to control the source of data coming into your programs. HTH, Warren Vail > -----Original Message----- > From: Rod Clay [mailto:rclay@xxxxxxxxxxxxxxx] > Sent: Saturday, April 19, 2008 2:20 PM > To: php-general@xxxxxxxxxxxxx > Subject: newbie needs help with session variables > > Hi. I'm still very new to php and still trying to learn the ropes. > > I'm working on some code now trying to set up a session and > use session variables in different scripts, but I'm getting > this message: > > *Warning*: Unknown: Your script possibly relies on a session > side-effect which existed until PHP 4.2.3. Please be advised > that the session extension does not consider global variables > as a source of data, unless register_globals is enabled. You > can disable this functionality and this warning by setting > session.bug_compat_42 or session.bug_compat_warn to off, > respectively. in *Unknown* on line *0 > > *2 questions: > > 1) I've turned on register_globals in all of my php.ini files > and restarted the webserver, but I'm still getting this > message. Can anyone help me with this? > > 2) I get the idea that one should NOT turn on > register_globals, but, if I don't do this, how do I share > session variables between scripts (and avoid this message)? > > Thanks for any help that anyone can provide. > > Rod Clay > clay.1@xxxxxxx* > * > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
