PHP: Local vars interfere with $_SESSION vars?

Question

Hi,

The output of the following code on a random page is :

            print $_SESSION['uid']; // logged in user
        // Get Data .
        $uid = $_GET['ID']; // part of random page processing
            print $_SESSION['uid'];

is :

1
2

My logged in User ID is changing ! :@

The code for the login (authenticate) page is something like this :

        // Authenticate
        $query = "SELECT * FROM User WHERE Email = '".$Email."' AND Password = '".$Password."'";
        $result = mysql_query($query);

        // Authenticated?
        if(mysql_num_rows($result)) {
            // Yes

            // Set session Vars
            $uid = mysql_result($result,0,ID);
            $Access = mysql_result($result,0,Access);

            session_destroy();
            session_start();
            $_SESSION['loggedIN'] = 1;
            $_SESSION['Access'] = $Access;
            $_SESSION['uid'] = $uid;

            // Print a successful login and redirect

Answer 1

That's weird... Are you sure you're not doing $_SESSION['uid']++ anywhere?

Also, do you have register_globals on?

Answer 2

What you're seeing is a side-effect of register_globals. Basically:

$uid

and

$_SESSION['uid']

reference the same variable so when you do:

$uid = $_GET['ID'];

it's the equivalent of:

$SESSION['uid'] = $_GET['ID'];

My advice? Turn off register globals. It's deprecated in PHP 5.3 and will be removed in PHP 6. To turn it off, edit your php.ini file and change to this directive:

register_globals = Off

then restart Apache (or whatever your Web server is).

Answer 3

register_globals should be off by default.

Is there some call to session_register anywhere?