Register_Globals and Session Side Effects in PHP

Wrote a little login script (as part of a larger project) which uses PHP to store sessions with a user’s data in and got the following error.

Warning: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

Oh, well that’s no good. Looked through the code, and found I had spelt one variable wrong.

$_SESSION['user_id'] = $user;

but $user did not exist, it should have been

$_SESSION['user_id'] = $user_id;

So the error/warning appeared because I was referencing a null (or undefined) variable into a session; something which would require register_globals to work.

Register globals would allow you to call file.php?foo=bar; and the script would create a variable $foo with a value of bar automatically – which is not very secure as variables can be pushed into a script (perhaps bypassing form validation etc). Personally I would never use register_globals (set it to off in PHP.ini or your .htaccess) as mistakes like the one I made would go unnoticed & could be abused.

I googled the error after I found that mistake to confirm that was the problem and was amazed to see people simply turning the warnings off rather than fixing the problem…talk about short cuts!