When register_globals is on, session variables overwrite global variables
First published on July 10, 2007
It is argued that there are many reasons why register_globals should be set to off on your PHP installation. It’s a bit of a security risk and allows you to code sloppily (although this is kind of nice for amateur coders like me).
However, another reason to avoid having register_globals set to on is a rather weird variable overwrite feature. If you use a session variable in a script with the same name as one of your global variables, the session variable will overwrite the global variable! Oddly, neither the GET nor POST variables affect the global variable in the same way…
<?php session_start(); $canadaday = 'July 1st'; $_SESSION['canadaday'] = 'July 2nd'; print '<p>When is Canada Day?</p>'; print '<p><strong>' . $canadaday . '</strong></p>'; ?>
(In this case, you should probably be using different variable names too.)
With register_globals set to on, Canada Day is erroneously on July 2nd…
Facebook
Twitter
Email this
keung.biz. Hire my web consulting services at 
Follow us on Twitter
January 26th, 2012 at 2:17 pm
Ken says:
Thank you for this article! I have been wracking my brain over this one for a while!
I’d have something similar to your canadaday or more commonly, I’d set some configuration variables using $GLOBALS['package']['subpackage'][… and use the same tree in $_SESSION for session dependent variables.
Now I know I’m not going insane.
Guess I’ll just have to code it the proper way with constants. Or use dots instead of sub-arrays.