Bug #63969 [Opn->Ana]: Storing PDO Statement Class in $_SESSION Corrupts all $_SESSION variables

arpad Fri, 11 Jan 2013 17:16:22 -0800

Edit report at https://bugs.php.net/bug.php?id=63969&edit=1


 ID:                 63969
 Updated by:         ar...@php.net
 Reported by:        tim_s_wiley at yahoo dot com
 Summary:            Storing PDO Statement Class in $_SESSION Corrupts
                     all $_SESSION variables
-Status:             Open
+Status:             Analyzed
 Type:               Bug
 Package:            PDO related
 Operating System:   Windows 2008
 PHP Version:        5.3.20
 Block user comment: N
 Private report:     N

 New Comment:

PDOStatement throws an exception when you try to serialize it, so it naturally 
can't be stored in the session, and this borks the session writing process in a 
place which can't be handled nicely without significant overhead for the normal 
case.

You can see a more useful error message by calling session_write_close() 
yourself, or just serialize(new PDOStatement); directly.

Leaving this open for PDO devs in case it can actually be serialized, but I 
suspect not.


Previous Comments:
------------------------------------------------------------------------
[2013-01-11 15:54:28] tim_s_wiley at yahoo dot com

Description:
------------
Anytime i assign a new object instance of PDOStatement to a session variable 
the session text file goes to zero byte and has no session information inside.  
The following code will produce the issue.  If you comment out the 2nd 
$_SESSION assignment which is the PDO issue the session will log its 
information to the sess text file properly and works as expected.  Here is very 
simple php example that will produce the issue:

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
  <title>PDO Statement Session Test</title>
</head>
<body>
<?php
    $_SESSION['regularVariable'] = 'Regular Stuff'; // Works just fine
    $_SESSION['pdoVariable'] = new PDOStatement; // zeros the sess* file
?>
</body>
</html>



Test script:
---------------
<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
  <title>PDO Statement Session Test</title>
</head>
<body>
<?php
    $_SESSION['regularVariable'] = 'Regular Stuff'; // Works just fine
    $_SESSION['pdoVariable'] = new PDOStatement; // zeros the sess* file
?>
</body>
</html>

Expected result:
----------------
Test #1 - As is will produce a zero byte php sess* file(No variable information 
will be logged in the file and thus not available to follow-up sessions if 
there were session variables stored they are lost).
  
Test #2 - Comment out the pdoVariable line will properly store the other 
$_SESSION variables in the sess* file.  



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63969&edit=1

Bug #63969 [Opn->Ana]: Storing PDO Statement Class in $_SESSION Corrupts all $_SESSION variables

Reply via email to