Jump to content
Sign in to follow this  
CMOTD

Register Globals Support

Recommended Posts

I've got some trouble i.c.w. the "official PayPal IPN module"and this register_globals patch

Ok, in case others have the same issue I've found a better fix now

 

change (inludes/modules/payment/paypal_ipn.php):

     if (tep_session_is_registered('cartID')) {

 

to

     // if (tep_session_is_registered('cartID')) {
// PandA.nl: register_globals fix!?
     if (array_key_exists('cartID', $_SESSION)) {

 

end fix

/***********************************/

 

notes:

 

it appears that

  function tep_session_is_registered($variable) {
   return session_is_registered($variable);
 }

returns TRUE if the key for $variable exists in the SESSION array, even if $variable does not have a value assigend

 

but

  function tep_session_is_registered($variable) {
   return isset($_SESSION[$variable]);
 }

returns FALSE if the key exists for $variable, but $variable does not have a value assigend

 

Of course it's quite rare that a SESSION variable exists and does not have a value at the same time.

This seems like a bug/flaw to me, allthough I'm not sure if it's a osC bug (to add an empty var to the session array, and check for the existence later), and/or if the sessions.php function of the register_globals patch should be updated like this:

 

change:

  function tep_session_is_registered($variable) {
   return isset($_SESSION[$variable]);
 }

to:

  function tep_session_is_registered($variable) {
   return array_key_exists($variable,$_SESSION);
 }

?? or something like that?

so that empty session vars will be detected as registered too

Edited by PandA.nl

Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

New note: it's also possible/likely that $_SESSION['cartID'] actually should have a value at the time it's checked by the PaylPal module. And that would mean detecting the null value as true is an error!

 

Anybody around that knows more about this cartID? Or that is willing to test it's value on another (test)shop?


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

Just installed this to my live shop & i have 2 major payment problems.

 

If a customer via worldpay then i dont get the order. The order is lost but i have his cash :huh:

 

if a customer pays via paypal then i get the order but no order email (order porcess). The ipn is showing on the lpn list.

Share this post


Link to post
Share on other sites

Hello,

i want to install the Multi-Stores Contribution on my register_global off webserver.

 

So I tried to integreat this Contribution in the multi-stores Contribution. The shop itself seems to work too, but I am not able to get into the administrators area.

Instead of the login page I get an error (something like a loop).

I think the problem is in /catalog/admin/includes/functions/administrators.php, because when I uncomment the code in the "RequireLoginValidForPage" Function he loads the Background of the page and some text.

 

So maybe you can say me, where the Problem is? Here is the code off this side:

<?php
   $aADMBoxes = array ( 'configuration.php'    => BOX_HEADING_CONFIGURATION,
                        'modules.php'          => BOX_HEADING_MODULES,
                        'catalog.php'          => BOX_HEADING_CATALOG,
                        'stores.php'           => BOX_HEADING_STORES,
                        'customers.php'        => BOX_HEADING_CUSTOMERS,
                        'orders.php'           => BOX_HEADING_ORDERS, //rmh M-S_multi-stores
                        'taxes.php'            => BOX_HEADING_LOCATION_AND_TAXES,
                        'localization.php'     => BOX_HEADING_LOCALIZATION,
                        'reports.php'          => BOX_HEADING_REPORTS,
                        'tools.php'            => BOX_HEADING_TOOLS,
                        'administrators.php'   => BOX_HEADING_ADMINISTRATORS,
                        );

   // associate all the admin pages with the box class that includes it
   $aADMPages = array( 'configuration.php'            => 'configuration.php',
                       'index.php'                    => '*',
                       'categories.php'               => '*',
                       'modules.php'                  => 'modules.php',
                       'categories.php'               => 'catalog.php',
                       'products_price_schedules.php' => 'catalog.php', //rmh M-S_pricing
                       'products_attributes.php'      => 'catalog.php',
                       'manufacturers.php'            => 'catalog.php',
                       'reviews.php'                  => 'catalog.php',
                       'specials.php'                 => 'catalog.php',
                       'products_expected.php'        => 'catalog.php',
                       'customers.php'                => 'customers.php',
                       'customers_groups.php'         => 'customers.php', //rmh M-S_pricing
                       'orders.php'                   => 'orders.php', //rmh M-S_multi-stores
                       'invoice.php'                  => 'orders.php', //rmh M-S_multi-stores
                       'packingslip.php'              => 'orders.php', //rmh M-S_multi-stores
                       'countries.php'                => 'taxes.php',
                       'zones.php'                    => 'taxes.php',
                       'geo_zones.php'                => 'taxes.php',
                       'tax_classes.php'              => 'taxes.php',
                       'tax_rates.php'                => 'taxes.php',
                       'currencies.php'               => 'localization.php',
                       'languages.php'                => 'localization.php',
                       'orders_status.php'            => 'localization.php',
                       'stats_products_viewed.php'    => 'reports.php',
                       'stats_products_purchased.php' => 'reports.php',
                       'stats_customers.php'          => 'reports.php',
                       'backup.php'                   => 'tools.php',
                       'banner_manager.php'           => 'tools.php',
                       'banner_statistics.php'        => 'tools.php',
                       'cache.php'                    => 'tools.php',
                       'define_language.php'          => 'tools.php',
                       'file_manager.php'             => 'tools.php',
                       'mail.php'                     => 'tools.php',
                       'newsletters.php'              => 'tools.php',
                       'server_info.php'              => 'tools.php',
                       'whos_online.php'              => 'tools.php',
                       'administrators.php'           => 'administrators.php', //rmh M-S_multi-stores
                       'distributors.php'             => 'administrators.php', //rmh M-S_multi-stores
                       'stores.php'                   => 'stores.php', //rmh M-S_multi-stores
                    );

   function RequireLoginValidForPage( $aRetPage ) {
       global $PHP_SELF, $in_login, $login_id, $aADMPages;  
       $aThisPage = basename( $PHP_SELF );
       $aRetPage  = str_replace( $aThisPage, 'index.php', $aRetPage );
       if ( empty( $in_login ) ) {
           if ( !tep_session_is_registered( 'login_id' ) ) {
               header( 'Location: login.php?in_login=yes&retpage=' . urlencode( $aRetPage ) . "\n" );
           } else {
               $aSQL = "select administrators_allowed_pages from ". TABLE_ADMINISTRATORS ." where administrators_id = '". $login_id ."'";
               $aRes = tep_db_query( $aSQL );
               if ( $aVal = tep_db_fetch_array( $aRes ) ) {
                   $aPages = $aVal['administrators_allowed_pages'];
                   if ( trim( $aPages != '*' ) ) {
                       $aAllowedPages   = explode( '|', $aPages );
                       $aCurrentPageBox = $aADMPages[$aThisPage];
                       if ( $aCurrentPageBox != '*' ) {
                           if ( !in_array( $aCurrentPageBox, $aAllowedPages ) ) {
                               header( 'Location: login.php?' . urlencode( $aRetPage ) . "\n" );
                           }
                       }
                   }
               }
           }
       }
   }

   function CanShowBox( $aBoxName ) {
       global $login_id;
       $aSQL = "select administrators_allowed_pages from ". TABLE_ADMINISTRATORS ." where administrators_id = '". $login_id . "'";
       $aRes = tep_db_query( $aSQL );
       if ( $aVal = tep_db_fetch_array( $aRes ) ) {
           $aPages = $aVal['administrators_allowed_pages'];
           if ( trim( $aPages != '*' ) ) {
               $aAllowedPages   = explode( '|', $aPages );
               $aCurrentPageBox = $aBoxName;
               if ( in_array( $aCurrentPageBox, $aAllowedPages ) ) {
                   return true;
               }
           } else {
               return true;
           }
       }
       return false;
   }
?>

 

Does anybody of you know, how I can make this site with register_globals off work?

 

 

Thank you from Germany (and excuse my bad english)

Ole

Edited by theoverer

Share this post


Link to post
Share on other sites

Did anyone get anywhere witrh the "official PayPal IPN" issues? I am using that and Authorize.nrt and I am told soon register globals will be turned off, am I dead?

 

Thanks.


The way of life, and the way we work for you.

Share this post


Link to post
Share on other sites
Did anyone get anywhere witrh the "official PayPal IPN" issues? I am using that and Authorize.nrt and I am told soon register globals will be turned off, am I dead?

 

Thanks.

 

Er? i think you are mate. I posted my problem in the worldpay & paypal thread & still no joy. The work around is to add 'php_flag register_globals on' in your .htaccess file in the stores root directory.

 

With my version of paypal IPN v3.0a I've had to comment out the empty cart on checkout success as there was a global issue there, apart from that its ok.

Share this post


Link to post
Share on other sites

Thanks djashjones, I am looking at moving to a VPS soon, that will help me for now, but a real fix would be nice, or off to find a new cart and start all over, not my first choice....


The way of life, and the way we work for you.

Share this post


Link to post
Share on other sites

Hi,

 

I know the feeling X-cart is a better option which does'nt have this problem & is more secure & powerful but like you i invested alot of time & mods to my shop & dont really want to change. Maybe this issue will be addressed in the next MS or someone might find a fix.

 

ash.

Share this post


Link to post
Share on other sites

Hi,

 

I would like to apply the Master Products module with register globals off.

 

Anyone who could help me out with that one?

 

All help are most appriciated!

 

Regards :thumbsup:

Edited by morphir

Share this post


Link to post
Share on other sites
New note: it's also possible/likely that $_SESSION['cartID'] actually should have a value at the time it's checked by the PaylPal module. And that would mean detecting the null value as true is an error!

 

Anybody around that knows more about this cartID? Or that is willing to test it's value on another (test)shop?

 

Alright, I've been racking my brain over this "osCommerce PayPal IPN Module v1.0 For 2.2MS2" contribution with the "Register Globals Off" contribution for days now. I'm just about to give up, but I'm too damn tenacious. At any rate, I've discovered something with regards to the $cartID session variable that I can't figure out, and it has absolutely nothing to do with the PayPal IPN module. Perhaps someone around here can explain. Here are the symptoms.

 

1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY.

 

2. If the customer does not have any items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY.

 

3. If the customer has items stored in their cart from a previous session, logs in, clears all items from their cart, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY.

 

4. If the customer has items stored in their cart from a previous session, logs in, and continues to checkout without adding any additional items, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY.

 

5. If the customer has items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY.

 

6. If the customer has items stored in their cart from a previous session, adds one or more items to their cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY.

 

To see this in action, I added the following short bit of debugging code to checkout_confirmation.php to tell me what the $_SESSION variables were when the customer reached the checkout_confirmation.php page:

 

    echo "<pre>";
   print_r($_SESSION);
   echo "</pre>";

 

Find the following block of code around line 239 of checkout_confirmation.php:

 

  
 if (is_array($payment_modules->modules)) {
   if ($confirmation = $payment_modules->confirmation()) {
?>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" cellspacing="0" cellpadding="2">
             <tr>
               <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td>
             </tr>
<?php
     for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) {
?>
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td>
             </tr>
<?php
     }
?>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
   }
 }

 

Add my debugging code at the end just before the last closing brace:

 

  if (is_array($payment_modules->modules)) {
   if ($confirmation = $payment_modules->confirmation()) {
?>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" cellspacing="0" cellpadding="2">
             <tr>
               <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td>
             </tr>
<?php
     for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) {
?>
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td>
             </tr>
<?php
     }
?>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
   }
   echo "<pre>";
   print_r($_SESSION);
   echo "</pre>";
 }

 

Alright with that in place, you'll be able to see what the value is for the $_SESSION['cartID'] variable under the conditions I've outlined above. Also please note that this is not a problem with "osCommerce PayPal IPN Module v1.0 For 2.2MS2". In fact, these symptoms are still present when any of the payment modules are installed.

 

So...I'm not sure if this is an osCommerce bug or a PHP bug. I'd love to hear what others think about this and if anyone else has come across this. Does anyone have a solution? Should this be submitted as a bug to the developing team?

Share this post


Link to post
Share on other sites

Alright...I think I found a solution. But first off, I have to correct myself on point #1 noted above. In my haste, I wrote down the wrong outcome. This actually does not work properly. The revision is:

 

1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY.

 

Anyway, after looking through the shopping cart class, it appears that a temporary unique ID number is never assigned when the customer's basket is restored from the database(whether it's got items or not) after they log in and go directly to checkout without adding any additional items. In fact, the cartID is only set when an item is added to or removed from the cart. So, to fix this, all I did was add the following line at the end of the cart_restore() function:

 

      // assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure
     $this->cartID = $this->generate_cart_id();

 

 

Alright, I look forward to hearing a response from somebody a little more experienced than me. I've implemented this fix for now and will do some more testing, especially with "osCommerce PayPal IPN Module v1.0 For 2.2MS2", but I'd like someone else's opinion or thoughts. Perhaps I'm not seeing something that I should or there was a specific reason it was done this way.

 

Mike

Share this post


Link to post
Share on other sites
So, to fix this, all I did was add the following line at the end of the cart_restore() function:

 

My bad...this function is actually: restore_contents()

Share this post


Link to post
Share on other sites

To all:

 

Just in case somebody has this set up:

 

- Running Apache on Linux/Unix

- Can' turn off Register Globals from the php.ini file (No access because on a shared server, etc.)

- HAS to run the shop with Register Globals = off

 

 

As you all know, in Apache you can use an .htaccess file in the root directory (or the shop's root directory) using the " php_value register_globals 0" to tun off Register Globals off locally. However, I kept having a session error ONLY in the administration similar to the one described in the README file.

 

"Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0"

 

The .htaccess did not seem to affect this warning. The .htaccess file was tested using the phpinfo.php in subdirectories and I saw the Register Global got to "off" as I moved around, so the .htaccess file is turning off Register Globals BUT ONLY on the Local Value column, not the Master value column. In any event, the README file continues by advicing to:

 

"The scenario described by the warning does NOT apply to this patch (ie - this patch does NOT

make use of the bug/feature in 4.2.3), so it is safe (indeed very desirable) to switch this

functionality and warning off. To remove this functionality and stop the warning, set both

of these parameters in php.ini as follows :

 

session.bug_compat_42 = 0

session.bug_compat_warn = 0

"

 

Which, of course I could not do since I had no access to the php.ini file. I searched the web and found this two lines of code than when added to the .htaccess file, turn off the warnings:

 

 

<IfModule mod_php4.c>

php_value register_globals 0

php_value session.bug_compat_42 0

php_value session.bug_compat_warn 0

</IfModule>

 

I guess I just sharing this information because I could not find it anywhere here and in case some lost soul is looking for it. Also, if anyone has any commenst on this set up, possible unexpected results, thinks it is not really a solution, and so on...please, correct me.

 

Thanks

Share this post


Link to post
Share on other sites

I have the following error

 

FATAL ERROR: register_globals is disabled in php.ini, please enable it

 

Which one of the downloads in this contribution is the corect one for me?

Share this post


Link to post
Share on other sites
Which one of the downloads in this contribution is the corect one for me?

 

Latest version is v 1.3, dated 13 Jan 2005.

 

And this may upset someone, but I strongly suggest you do NOT use the "Illegal Offset QUICKFix" dates 5 Sep 2005 - it's simply not correct.

 

Rich.

Share this post


Link to post
Share on other sites
Vger ?s Register Globals Patch is super!

Errr... actually it's my patch.

 

But thanks anyway.

 

Rich.

Share this post


Link to post
Share on other sites
To all:

 

Just in case somebody has this set up:

 

- Running Apache on Linux/Unix

- Can' turn off Register Globals from the php.ini file (No access because on a shared server, etc.)

- HAS to run the shop with Register Globals = off

As you all know, in Apache you can use an .htaccess file in the root directory (or the shop's root directory) using the " php_value register_globals 0" to tun off Register Globals off locally. However, I kept having a session error ONLY in the administration similar to the one described in the README file.

 

"Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0"

 

The .htaccess did not seem to affect this warning. The .htaccess file was tested using the phpinfo.php in subdirectories and I saw the Register Global got to "off" as I moved around, so the .htaccess file is turning off Register Globals BUT ONLY on the Local Value column, not the Master value column. In any event, the README file continues by advicing to:

 

"The scenario described by the warning does NOT apply to this patch (ie - this patch does NOT

make use of the bug/feature in 4.2.3), so it is safe (indeed very desirable) to switch this

functionality and warning off. To remove this functionality and stop the warning, set both

of these parameters in php.ini as follows :

 

session.bug_compat_42 = 0

session.bug_compat_warn = 0

"

 

Which, of course I could not do since I had no access to the php.ini file. I searched the web and found this two lines of code than when added to the .htaccess file, turn off the warnings:

<IfModule mod_php4.c>

php_value register_globals 0

php_value session.bug_compat_42 0

php_value session.bug_compat_warn 0

</IfModule>

 

I guess I just sharing this information because I could not find it anywhere here and in case some lost soul is looking for it. Also, if anyone has any commenst on this set up, possible unexpected results, thinks it is not really a solution, and so on...please, correct me.

 

Thanks

 

 

I am getting this warning and cannot seem to find out how to fix it. Could someone help me please.

 

 

Warning: session_write_close(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in /srv/vhosts/*/httpdocs/oscommerce-2.2ms2/catalog/includes/functions/sessions.php on line 106

 

 

Thank you

Share this post


Link to post
Share on other sites
Hi,

 

I would like to apply the Master Products module with register globals off.

 

Anyone who could help me out with that one?

 

All help are most appriciated!

 

Regards :thumbsup:

 

 

Did you find a way to get this done? I'd like to do the same..

 

Thanks!!

:)

Edited by dionn

Share this post


Link to post
Share on other sites

Hi, im a newbie to this.

 

I wanted to know can I simply install the following together without having any problems?

 

oscommerce-2.2ms2 with the patch 1.3 ?

 

Thanks.

Share this post


Link to post
Share on other sites

Fatal error: Cannot re-assign $this in c:\wamp\www\excwheels\admin\includes\classes\upload.php on line 31

 

I get this error when i go in the admin section, is there a reason why?

 

I am using:

 

 

oscommerce-2.2ms2 with the patch 1.3 ?

Share this post


Link to post
Share on other sites

Hello,

 

I need some help with creating an .htaccess file for a fix on a shared server. Here is the info I'd like to use in the .htaccess file:

 

# $Id: .htaccess,v 1.3 2003/06/12 10:53:20 hpdl Exp $

#

# This is used with Apache WebServers

#

# For this to work, you must include the parameter 'Options' to

# the AllowOverride configuration

#

# Example:

#

# <Directory "/usr/local/apache/htdocs">

# AllowOverride Options

# </Directory>

#

# 'All' with also work. (This configuration is in the

# apache/conf/httpd.conf file)

 

 

 

# The following makes adjustments to the SSL protocol for Internet

# Explorer browsers

 

 

 

<IfModule mod_setenvif.c>

<IfDefine SSL>

SetEnvIf User-Agent ".*MSIE.*" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

</IfDefine>

</IfModule>

 

 

 

# Fix certain PHP values

# (commented out by default to prevent errors occuring on certain

# servers)

 

 

 

#<IfModule mod_php4.c>

# php_value session.use_trans_sid 0

# php_value register_globals 1

#</IfModule>

 

Could someone send me a copy of the .htacess file for this fix?

 

Thanks

Share this post


Link to post
Share on other sites

There is a update to osCommerce 2.2 Milestone 2 (Update 051113)

 

See: http://www.oscommerce.com/ext/update-20051...l#_Toc119693714

 

This update is not mergered with Register Globals -- yuck (what were they thinking?)

 

Anyway, The key part of the update for this thread is as follows:

 

Problem:

 

Validate the session ID and redirect to the front page when an invalid session ID is requested.

 

Solution:

 

The following function must be replaced in catalog/includes/functions/sessions.php.

 

Lines 66-68, from:

 

function tep_session_start() {

return session_start();

}

 

to:

 

function tep_session_start() {

global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

 

$sane_session_id = true;

 

if (isset($HTTP_GET_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {

unset($HTTP_GET_VARS[tep_session_name()]);

 

$sane_session_id = false;

}

} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {

unset($HTTP_POST_VARS[tep_session_name()]);

 

$sane_session_id = false;

}

} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {

$session_data = session_get_cookie_params();

 

setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);

 

$sane_session_id = false;

}

}

 

if ($sane_session_id == false) {

tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

}

 

return session_start();

}

 

So - the following seems to work:

 

// >>> BEGIN REGISTER_GLOBALS tep_session_start

function tep_session_start() {

 

$success = session_start();

 

// Work-around to allow disabling of register_globals - map all defined

// session variables

if ($success && count($_SESSION))

{

$session_keys = array_keys($_SESSION);

foreach($session_keys as $variable)

{

link_session_variable($variable, true);

}

}

global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

 

$sane_session_id = true;

 

if (isset($HTTP_GET_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {

unset($HTTP_GET_VARS[tep_session_name()]);

 

$sane_session_id = false;

}

} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {

unset($HTTP_POST_VARS[tep_session_name()]);

 

$sane_session_id = false;

}

} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {

$session_data = session_get_cookie_params();

 

setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);

 

$sane_session_id = false;

}

}

if ($sane_session_id == false) {

tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

}

return $success;

}

// <<< END REGISTER_GLOBALS tep_session_start

 

I'm testing it now -- seems to work. Others might want to test or comment - I'm not sure how this code functions.


------------------------------------------------------------------------

The first panacea for a mismanaged nation is inflation

of the currency; the second is war. Both bring a
temporary prosperity; both bring permanent ruin.
Ernest Hemingway
------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×