Clever Geek Handbook

Reserved characters in PHP $ _SESSION variable variables

I was looking at the internal representation of the PHP session file and I noticed that the session keys are separated by a pipe character |

.

Before getting into the problem I am facing, give me a quick guide on formatting the session file. At least that's how it was formatted on my Mac (10.9.4, PHP 5.4.24).

Session file format

Let's say I have the following code:

$_SESSION["age"] = 26;
$_SESSION["car"] = "Mazda";
$_SESSION["nerdy"] = true;
$_SESSION["likes"] = array(42, "being meta");
$_SESSION["stats"] = array("bmi" => 1000);

Then it is stored in a session variable like this:

age|i:26;car|s:5:"Mazda";nerdy|b:1;
likes|a:2:{i:1;i:42;i:2;s:10:"being meta"}
stats|a:1:{s:3:"bmi";i:1000}

General format

session_key|session_value[;session_key|value] etc.

where session_value

has the general form

type[:size]:value

More specifically (if anyone is interested),

  • lines: s:3:"some text"

  • whole numbers: i:4

  • booleans: b:1

    (true) or b:0

    (false)
  • arrays: a:2:{session_value;session_value;session_value;session_value}

where the four session_value

in an array of size 2 represent pairs key;value

key;value

.

Problem

You can see that in the above section, the top level session keys are delimited by a character |

. But what if one of our session key names includes a character |

?

Ok I tried it. And when I did that, the entire session file (in /tmp

) was empty (and the variables were definitely not set). Is this a PHP developer oversight or an undocumented limitation (or is it documented somewhere)?

This can be easily solved by putting the $ _SESSION keys themselves in quotes, or by failing back any channel in the $ _SESSION key string. This is not a big problem for me personally, since I can't figure out why I need to put |

$ _SESSION in the key variable - just wondering.

+3


source to share


2 answers


Known bug

https://bugs.php.net/bug.php?id=33786



Work around - upgrading to 5.5.4 and using the php_serialize session serializer

+4


source


Using this php file test3.php, I have demonstrated that both | (pipe) and! (bang) will throw a _SESSION error in PHP 5.4 if they are used in the _SESSION key. Also, no other ASCII characters between 0x20 and 0x7f fail. I don't have easy access to other PHP versions to empirically test their behavior.



<?php
session_start( );
?><!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Test session keys</title>
</head>
<body>
<form method="post" target="test3.php">
<input type="submit" id="submit" name="submit" value="Submit">
<?php
echo "<br>_SESSION...<br>";
var_dump(  $_SESSION );

echo "\n".'<br><input type="text" id="text" name="text" length="1" ';
if( $_SERVER[ 'REQUEST_METHOD' ] != 'POST' ) {
     $t = chr( 32 );
     echo 'value="&#'.ord( $t ).';">';
     $_SESSION[ 'key' ] = ' ';
     $str = 'first';
} else {
     $str = 'good';
     if( count( $_SESSION ) != 2 ) {
          $str = 'BAD';
     }
     $_SESSION = array( );
     $t = substr( $_POST[ 'text' ], 0, 1);
     echo 'value="&#'.(ord($t) + 1 ).';">';
     $_SESSION[ 'key' ] = chr(ord($t) + 1 );
}
echo "\n".'<br><input type="text" id="check" name="check" length="1" value="&#'.ord( $t ).';">';
echo "\n".'<br><input type="text" id="check2" name="check2" length="6" value="%'.bin2hex( $t ).'";">';
echo '<span id="success"></span>';
echo "<script> document.getElementById( 'success' ).innerHTML = '".$str."'; </script>";

$_SESSION[ "alpha".$_SESSION['key']."four" ]  = 'Hello World';
?>
</form>
</body>
</html>
0


source






More articles:


All Articles