-3

Is the any danger in using $_ENV to hold global script variables rather than using $_SESSION? I understand the difference between the 2 superglobals but not sure of the impact of using $_ENV over $_SESSION? Does $_SESSION provide more security?

ws8
  • 107
  • 1
  • 7
  • No one of them "provide security", they are just variables – zerkms Mar 09 '12 at 06:27
  • Two entirely different concepts... what would indicate they are interchangeable? (Read the documentation for an overview and where each is applicable.) –  Mar 09 '12 at 07:05
  • @pst - Not really, both are super globals, both store global data, both available globally. Only the scope of access is different. The documentation suggests using $_ENV to store globals in place of using "global" but $_ENV is only available to the current instance. However, back to the question, what I see in some apps is people storing session data in $_ENV and then writing back to session later. Is there a particular reason for doing this that I fail to understand? eg, sucurity, saving session state? poor programming? – ws8 Mar 10 '12 at 22:41
  • @ws8 Once again, looking past the fact that they both indexable, mutable, and map keys/data in some form, they are two entirely different concepts: they are not interchangeable. That's all there is to it. This is clearly evident in documentation that deals with them. –  Mar 11 '12 at 00:05
  • @pst - let me rephrase - Lets assume you have an application that calls lots of functions and relies heavily on global variables, is it acceptable to use $_ENV to hold application global variables (assuming you don't need them once the script ends) or should one use $_SESSION instead. The manual does not specifically say "thou shall not use $_ENV for your own purposes" but is it abusing the use of $_ENV? – ws8 Mar 11 '12 at 02:42
  • @ws8 I would venture to say that a vital concept about how `$_ENV` is backed about how `$_SESSION` is backed is missing. **Environment variables (`$_ENV`) are *per PHP process*** (and are inherited from the parent process) while **session data (`$_SESSION`) is *per user session***. They are not equivalent concepts and they bot *do different things*. Using one in place of the other is a design error. Obviously if you need to store "user session data", then `$_ENV` is not appropriate, and if you need to access `JAVA_HOME` (for whatever reason, e.g.) then `$_SESSION` is not appropriate. –  Mar 11 '12 at 05:31
  • @ws8 Of course, using `$_ENV` for "global storage" might indicate a design error; but this *does not* imply that `$_SESSION` is a replacement in any way. –  Mar 11 '12 at 05:35

3 Answers3

2

They are two complete different thing.

$_SESSION: An associative array containing session variables available to the current script.

$_ENV: An associative array of variables passed to the current script via the environment method.

xdazz
  • 158,678
  • 38
  • 247
  • 274
2

You can't use $_ENV instead of $_SESSION.
That's all.

Any environment variable you may set will be available to the same PHP instance only (which will die in a fraction of second)

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • True, but you can use both to store globals depending on the scope required. – ws8 Mar 10 '12 at 22:44
  • 1
    globals? scope? what are you talking about? – Your Common Sense Mar 10 '12 at 22:48
  • According to the php manual on $_ENV: "This is a 'superglobal', or automatic global, variable. This simply means that it is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods.". Therefore $_ENV could be used to store application globals not required outside of the current instance. But is this acceptable use of $_ENV? – ws8 Mar 11 '12 at 02:34
  • @ws8 Forget about each collection being a "superglobal". This is a superficial concept in this conversation. Each collection is backed by a *different* source with *different* semantics. –  Mar 11 '12 at 05:43
2

What it does is accessing the environment variables. The functions getenv() and setenv() should be used for this.

Environment variables:

These variables are set by the system or can be added in eg. Apaches configuration files or .htaccess. Example: in apache you can use SetEnv ENV_VARNAME foobar

But sessions (or also cookies) are not the same as variables. Sessions can hold state over multiple requests, variables or globals do not. Go take a loot at sessions

stefano
  • 263
  • 2
  • 6
  • Oh, yeah i misread this part. [refsect1-reserved.variables.environment-changelog](http://nl.php.net/manual/en/reserved.variables.environment.php#refsect1-reserved.variables.environment-changelog) – stefano Mar 09 '12 at 07:51