Smarty

FrankTM · Smarty n00b Joined: 19 Oct 2007 Posts: 3

scenario:
$_SESSION contains info
$smarty instance is created
$_SESSION is updated
$smarty->display() is called
$smarty shows old data

testcase with various php versions:
[url goes herem but i'm not allowed to post those yet]
As you can see, I don't write to the session from within the template.

It must have something to do with the superglobal changes.
I'm not sure this is a desired change though.
You should not be able to do changes in $_POST, $_GET and $_REQUEST, but I think at least $_SESSION should be up to date when $smarty->display() or $smarty->fetch() is called.

messju · Posted: Tue Jun 16, 2009 2:04 pm Post subject:

FrankTM has a test case here http://scriptzone.nl/~frank/smarty_testcase-sessions/ that shows the change of behaviour in Smarty-2.6.24.

funnily the change is in 2.6.24 and not in 2.6.23 where "make PHP super globals read-only from template" was introduced.

What was the reason behing making super globals read-only anyway?

mohrt · Posted: Tue Jun 16, 2009 2:57 pm Post subject:

Changing session variables in-template is a security issue, and not something that should be done from a template anyways.

example:

{$smarty.session.foo++}

FrankTM · Smarty n00b Joined: 19 Oct 2007 Posts: 3

that's pretty much what I said, and what my testcase does.

I do not update the $_SESSION vars from within the template, but just from ordinary php.

mohrt · Posted: Tue Jun 16, 2009 3:04 pm Post subject:

Yes it makes an internal copy of the globals to use in-template at instantiation. This is a sticky issue, I'll have look into it further. As a workaround you can assign yourself:

FrankTM · Smarty n00b Joined: 19 Oct 2007 Posts: 3