6

I've been driving myself nuts with this problem.

I'm creating a session id dynamically in order to retain the page state on refresh.

If a page element is clicked, I take the id of the element and pass it to my server side script which creates the session variable:

$_SESSION[$id] = $id;

Bizarrely, this was working only some of the time, I narrowed it down to the fact that some elements have a purely numeric id and others do not:

if (is_numeric($id))
{
   $_SESSION[$id] = $id;
   $_SESSION['test'] = $id; 

}else{

   $_SESSION[$id] = $id;
};

In the example above only non-numeric session IDs were visible. For example I could echo $_SESSION['test']; with no issue at all.

Any ideas?

T9b
  • 3,312
  • 5
  • 31
  • 50
  • `$_SESSION` is meant to be an associative array, so maybe numeric keys which hint at a sequential array are not allowed. – alex Sep 16 '11 at 21:06

3 Answers3

4

Top level keys in the $_SESSION can't be numeric, but keys on the deeper level can.

Eg.

$_SESSION['ids'][13] = $foo;
$_SESSION['ids'][666] = $bar;
Calmarius
  • 18,570
  • 18
  • 110
  • 157
4

From the manual: The keys in the $_SESSION associative array are subject to the same limitations as regular variable names in PHP, i.e. they cannot start with a number and must start with a letter or underscore. For more details see the section on variables in this manual.

Using purely numeric keys in a session will not work. If it is numeric you can try preceding it with an underscore.

EDIT: As of PHP 5.5.9 in October 2015, this appears to still be true despite the manual reference no longer appearing.

Test code:

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

session_start();
$_SESSION['a123'] = 'a123';
$_SESSION['123'] = '123str';
$_SESSION[455] = '455int';
$_SESSION['_123'] = '_123';

Yields:

Notice: Unknown: Skipping numeric key 123 in Unknown on line 0

Notice: Unknown: Skipping numeric key 455 in Unknown on line 0

Then a var_dump($_SESSION); shows only:

array(2) {
  ["a123"]=>
  string(4) "a123"
  ["_123"]=>
  string(4) "_123"
}

This actually appears to happen when the session data gets serialized at the end of the request here. Apparently the session engine itself prevents the numeric session keys from being saved to the session.

drew010
  • 68,777
  • 11
  • 134
  • 162
  • This is no longer int the manual (at least Google and I couldn't find it). It is also not true: session array keys can start with numbers (like '35a'). (Also 'must start with a letter or underscore' implies that it does not start with a number IMHO ) – Steven Spark Oct 05 '15 at 20:27
  • @StevenSpark I couldn't find the reference either but it appears to still be true. See my updated answer. – drew010 Oct 05 '15 at 21:33
2

It's bad practise to have an all numeric element id (i.e. <div id="123">) - you should place at least one alpha character, e.g. <div id="e123">. This should solve your problem - alternatively you can just add the the alpha character when creating the session then remove it if the page is refreshed:

$_SESSION[$id] = substr($str, 0, 1);

Bruce
  • 1,542
  • 13
  • 17
nderjung
  • 1,607
  • 4
  • 17
  • 38
  • 2
    Not only is it bad practice to have an element ID begin with a digit, but it's not allowed at all. – Benjam Sep 16 '11 at 21:08
  • @Benjam: I've seen it work in a few cases (only modern browsers) - I only suggested using the alternative method if adding the alpha character was to difficult, e.g. already stored in databases etc. – nderjung Sep 16 '11 at 21:11
  • Numeric ids work if they are assigned via JS. But are not allowed otherwise, and CSS will not be able to style them. – Marshall Sep 16 '11 at 21:15
  • @Alex: looking over the HTML5 spec, it seems you are correct. It says nothing about the syntax of the ID other than that it cannot have any space characters and must be at least 1 character in length. Thanks. – Benjam Sep 16 '11 at 21:16
  • @Benjam well I'm the boss of my project, and I say "it is allowed" ;) It still works for me in every browser I've tested in including old IE versions, but isn't this just an argument about naming conventions? – T9b Sep 16 '11 at 21:38
  • @T9: Even if you are the boss of your own project, you must follow the rules of which ever language you are programming in. – nderjung Sep 16 '11 at 21:42