Stopping objects from auto-serializing

Hi,

I'm trying to set up my PHP app at my host, but am stumbling over the
PHP configuration there. register_globals is enabled, which seems to
auto-serialize my objects into $_SESSION, which in some cases
overwrites variables in there. I'm not sure if register_globals is
where the auto-serialization comes from, but it seems to be closely
related at least and I'm not in my best form today...

I tried putting "php_flag register_globals off" into an .htaccess
file, but that throws an Apache misconfiguration error.
Using set_ini() doesn't seem to do anything either.

Any advise on how to turn serialization off without dabbling with the
configuration file?

Chrs,
Dav

Try:

php_value register_globals Off

That should not have any impact on the $_SESSION array, but turning register
globals off anyway is a good thing.

On Tuesday 30 October 2007, David Christopher Zentgraf wrote:
> Hi,
>
> I'm trying to set up my PHP app at my host, but am stumbling over the
> PHP configuration there. register_globals is enabled, which seems to
> auto-serialize my objects into $_SESSION, which in some cases
> overwrites variables in there. I'm not sure if register_globals is
> where the auto-serialization comes from, but it seems to be closely
> related at least and I'm not in my best form today...
>
> I tried putting "php_flag register_globals off" into an .htaccess
> file, but that throws an Apache misconfiguration error.
> Using set_ini() doesn't seem to do anything either.
>
> Any advise on how to turn serialization off without dabbling with the
> configuration file?
>
> Chrs,
> Dav


--
Larry Garfield AIM: LOLG42
larry@garfieldtech.com ICQ: 6817012

"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson

On 31 Oct 2007, at 13:50, Larry Garfield wrote:

> Try:
>
> php_value register_globals Off

Same Apache misconfiguration error. Even though the host actually
requires me to enable PHP processing via an "AddHandler" .htaccess
directive, php_flag/value directives are throwing an error. Weird.

> ...but turning register globals off anyway is a good thing.

Indeed.

David Christopher Zentgraf wrote:
> Hi,
>
> I'm trying to set up my PHP app at my host, but am stumbling over the
> PHP configuration there. register_globals is enabled, which seems to
> auto-serialize my objects into $_SESSION, which in some cases overwrites
> variables in there. I'm not sure if register_globals is where the
> auto-serialization comes from, but it seems to be closely related at
> least and I'm not in my best form today...
>
> I tried putting "php_flag register_globals off" into an .htaccess file,
> but that throws an Apache misconfiguration error.
> Using set_ini() doesn't seem to do anything either.

aside from this error (my guess is your not allowed to override it) I can't
see the problem of serialization .. don't put the object in $_SESSION?

also try:

php_admin register_globals 0


>
> Any advise on how to turn serialization off without dabbling with the
> configuration file?

why, what are you doing? show us the code?

>
> Chrs,
> Dav
>

On 31 Oct 2007, at 15:32, Jochem Maas wrote:

> aside from this error (my guess is your not allowed to override it)
> I can't
> see the problem of serialization .. don't put the object in $_SESSION?
....
> what are you doing? show us the code?

I'm not putting the object in $_SESSION, but PHP apparently does on
this specific configuration.
I'm saving an array of ids in $_SESSION["basket"], and on some pages I
have an object called $basket.
Somehow this $basket gets saved into $_SESSION["basket"], where it
simply does not belong because it makes my code barf.

Seems I'll have to rename my variables, but aside from this specific
fix, I don't want any unneeded variables floating around my $_SESSION
and I certainly don't want them to be globally_registered.

David Christopher Zentgraf wrote:
> On 31 Oct 2007, at 15:32, Jochem Maas wrote:
>
>> aside from this error (my guess is your not allowed to override it) I
>> can't
>> see the problem of serialization .. don't put the object in $_SESSION?
> ...
>> what are you doing? show us the code?
>
> I'm not putting the object in $_SESSION, but PHP apparently does on this
> specific configuration.
> I'm saving an array of ids in $_SESSION["basket"], and on some pages I
> have an object called $basket.
> Somehow this $basket gets saved into $_SESSION["basket"], where it
> simply does not belong because it makes my code barf.
>
> Seems I'll have to rename my variables, but aside from this specific
> fix, I don't want any unneeded variables floating around my $_SESSION
> and I certainly don't want them to be globally_registered.

are you using session_register()? (dont)
also are you setting the value in $_SESSION by reference?

e.g. $_SESSION['foo'] =& $bar; $bar = new Foo;

>

On 31 Oct 2007, at 16:16, Jochem Maas wrote:

> are you using session_register()? (dont)
> also are you setting the value in $_SESSION by reference?

No and no. The only time I'm writing to $_SESSION["basket"] is by
setting $_SESSION["basket"][] = "foo", I'm never touching the actual
$_SESSION["basket"] variable as such, but which is exactly what's
happening.

After some more playing around and a lot of print_r($SESSION)'s:

This specific PHP configuration seems to replace every entry in
$_SESSION if a variable with the same name is used in the main script
with that variable.

I.e.
session_start() // $_SESSION["foo"] is now "bar"
$foo = "12345";
$var = "xxxx";

function test() {
$foo = "67890";
}
test();

After execution finished $_SESSION["foo"] is now "12345", but there's
no $_SESSION["var"].
What's going on here?

On 31 Oct 2007, at 16:25, David Christopher Zentgraf wrote:

>
> On 31 Oct 2007, at 16:16, Jochem Maas wrote:
>
>> are you using session_register()? (dont)
>> also are you setting the value in $_SESSION by reference?
>
> No and no. The only time I'm writing to $_SESSION["basket"] is by
> setting $_SESSION["basket"][] = "foo", I'm never touching the actual
> $_SESSION["basket"] variable as such, but which is exactly what's
> happening.
>

David Christopher Zentgraf wrote:
> Hi,
>
> I'm trying to set up my PHP app at my host, but am stumbling over the
> PHP configuration there. register_globals is enabled, which seems to
> auto-serialize my objects into $_SESSION, which in some cases
> overwrites variables in there. I'm not sure if register_globals is
> where the auto-serialization comes from, but it seems to be closely
> related at least and I'm not in my best form today...
>
> I tried putting "php_flag register_globals off" into an .htaccess
> file, but that throws an Apache misconfiguration error.
> Using set_ini() doesn't seem to do anything either.
>
> Any advise on how to turn serialization off without dabbling with the
> configuration file?

I got the following in my main .htaccess (and it works just fine...):
php_flag register_globals 0

--
Kind regards,
hochprior

On 31 Oct 2007, at 17:23, hochprior wrote:

> I got the following in my main .htaccess (and it works just fine...):
> php_flag register_globals 0

Well apparently I'm not allowed to override register_globals.

Looking at the problem a little closer, it also doesn't seem like
register_globals is the culprit. Browsing through the PHP bug reports
a bit brought my attention to --enable-track-vars, which is enabled in
my case. It sounds a little more like it has something to do with my
problem, but I can't seem to find any documentation on this flag...