[AppDB] session.php and register globals

Jonathan Ernst Jonathan at ErnstFamily.ch
Fri Dec 10 12:34:44 CST 2004


----------------------
You should do your best to write your scripts so that they do not 
require register_globals to be on;  Using form variables as globals can 
easily lead to possible security problems, if the code is not very well 
thought of.
----------------------
Using this patch login/logout (i.e. sessions) will work with 
register_globals set to off. There is still some work on other files 
that try to access session vars in the old manner but as I have patches 
pending on them I will wait to see if they are commited before to do 
other patches on these other files. However as long as register_globals 
is on my patch won't interfere with the current functionning of the appDB.

Change Log:
- replacing $var with $_SESSION['var'] code and removing global àvar 
declarations

Files changed:
- session.php

-------------- next part --------------
Index: include/session.php
===================================================================
RCS file: /home/wine/appdb/include/session.php,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 session.php
--- include/session.php	15 Mar 2004 16:22:02 -0000	1.1.1.1
+++ include/session.php	10 Dec 2004 18:24:21 -0000
@@ -2,13 +2,13 @@
 
 function apidb_session_start()
 {
-    global $current;
 
     session_set_cookie_params(time() + 3600 * 48);
     session_start();
 
-    if($current)
-	$current->connect();
+    if(isset($_SESSION['current'])) {
+	      $_SESSION['current']->connect();
+	  }
 }
 
 
@@ -19,12 +19,10 @@
 
 
 
-/*
+/**
  * session handler functions
  * sessions are stored in a mysql table
- *
  */
-
 function _session_open($save_path, $session_name)
 {
     opendb();
@@ -57,7 +55,6 @@
 
 function _session_write($key, $value)
 {
-    global $current;
     global $msg_buffer;
     global $apidb_debug;
 
@@ -79,8 +76,8 @@
         mysql_query("INSERT INTO debug VALUES(null, '$key = $messages')");
 
 
-    if($current)
-	mysql_query("REPLACE session_list VALUES ('$key', $current->userid, '".get_remote()."', '$value', '$messages', NOW())");
+    if(isset($_SESSION['current']))
+	mysql_query("REPLACE session_list VALUES ('$key', ".$_SESSION['current']->userid.", '".get_remote()."', '$value', '$messages', NOW())");
     else
 	mysql_query("REPLACE session_list VALUES ('$key', 0, '".get_remote()."', null, '$messages', NOW())");
 


More information about the wine-patches mailing list