setcookie before content????

[djr33]

I have no idea about security holes regarding serialize(). I think the reason might be that if you allow the user to have full control of the content of an array, they could manipulate the array and potentially input something dangerous or some value you did not set. But if you validate the data, you'll be safe. In this case, if you are sure to only use the values of that array as which quotes have already been used, there's nothing to worry about at all. Just don't also borrow that array for any security settings or whatever


To expand on your last question and traq's answer, there's something very simple and interesting about all of the superglobal variables ($_VAR format). They're just normal variables in every sense, except that they happen to be scopeless and available everywhere you could want them (and you can never make a local variable within a function that has the same name).
So this means that you can manually change the values and PHP will allow that. $_SESSION is an array that you can do whatever you want with. I very frequently have many-dimensional arrays in it. Basically $_SESSION['var1'] is one variable equivalent to $var1 and $_SESSION['var2'] is another, equivalent to $var2. And in fact I often do that-- I have some variable, let's say $var1, and then I set that in $_SESSION['var1'] to preserve the value for later.
Beyond this, you actually have complete control of all of those arrays. In certain circumstances I've actually manually changed the contents of $_GET to fit my purposes (often if I'm pre-processing before another script, especially when I'm manipulating the URL with .htaccess). You can add/remove any variable you'd like, and PHP will be fine with it, just as if it had originally come from the URL. There are no restrictions, but obviously you need to be careful. And I've also done this on occasion with $_SERVER variables such as 'QUERY_STRING' for the same reason.


Traq, that's an interesting theory. It makes sense to me, although I can't specifically verify it. Regardless, I completely agree that it's an exception and shouldn't be relied upon.

[traq]

[superglobals are] just normal variables in every sense, except that they happen to be scopeless and available everywhere you could want them...
So this means that you can manually change the values and PHP will allow that. $_SESSION is an array that you can do whatever you want with... There are no restrictions, but obviously you need to be careful.

you could even do something like $_SESSION = 5; and it would work as expected. (Not particularly useful, and most likely counterproductive, but it would work just fine.)

Traq, that's an interesting theory. It makes sense to me, although I can't specifically verify it. Regardless, I completely agree that it's an exception and shouldn't be relied upon.

I remember reading about it somewhere, and I've been trying to find it for a few hours now, without luck.

BTW, John, if you ever want to write a script that way (without worrying about the order of headers/body/etc.), look into php's output control functions.

Usually (such as in this case), you can achieve same/better results by simply writing your script a little differently, but there are times when they are very useful.