[AppDB] session.php and register globals
Jonathan Ernst
Jonathan at ErnstFamily.ch
Fri Dec 10 12:34:44 CST 2004
----------------------
You should do your best to write your scripts so that they do not
require register_globals to be on; Using form variables as globals can
easily lead to possible security problems, if the code is not very well
thought of.
----------------------
Using this patch login/logout (i.e. sessions) will work with
register_globals set to off. There is still some work on other files
that try to access session vars in the old manner but as I have patches
pending on them I will wait to see if they are commited before to do
other patches on these other files. However as long as register_globals
is on my patch won't interfere with the current functionning of the appDB.
Change Log:
- replacing $var with $_SESSION['var'] code and removing global àvar
declarations
Files changed:
- session.php
-------------- next part --------------
Index: include/session.php
===================================================================
RCS file: /home/wine/appdb/include/session.php,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 session.php
--- include/session.php 15 Mar 2004 16:22:02 -0000 1.1.1.1
+++ include/session.php 10 Dec 2004 18:24:21 -0000
@@ -2,13 +2,13 @@
function apidb_session_start()
{
- global $current;
session_set_cookie_params(time() + 3600 * 48);
session_start();
- if($current)
- $current->connect();
+ if(isset($_SESSION['current'])) {
+ $_SESSION['current']->connect();
+ }
}
@@ -19,12 +19,10 @@
-/*
+/**
* session handler functions
* sessions are stored in a mysql table
- *
*/
-
function _session_open($save_path, $session_name)
{
opendb();
@@ -57,7 +55,6 @@
function _session_write($key, $value)
{
- global $current;
global $msg_buffer;
global $apidb_debug;
@@ -79,8 +76,8 @@
mysql_query("INSERT INTO debug VALUES(null, '$key = $messages')");
- if($current)
- mysql_query("REPLACE session_list VALUES ('$key', $current->userid, '".get_remote()."', '$value', '$messages', NOW())");
+ if(isset($_SESSION['current']))
+ mysql_query("REPLACE session_list VALUES ('$key', ".$_SESSION['current']->userid.", '".get_remote()."', '$value', '$messages', NOW())");
else
mysql_query("REPLACE session_list VALUES ('$key', 0, '".get_remote()."', null, '$messages', NOW())");
More information about the wine-patches
mailing list