PHP $_SESSION variables randomly get overwritten?

Question

Okay, so when I run this script to remove a user's comment from a forum post, the $_SESSION['id'] (user's mysql id) changes to the $postid (the id of the forum post). I am not calling any function to set it, and I have session_write_close(); called when the session is initialized.

<?php
session_start();

// I'm not showing connection code.
if(isset($_SESSION['user'])){

    $user = mysql_real_escape_string($_SESSION['user']);
    $userid = mysql_real_escape_string($_SESSION['id']);

    $id = mysql_real_escape_string($_GET['id']);
    $postid = mysql_real_escape_string($_GET['article']);

    $result = mysql_query("DELETE FROM `______`.`______` WHERE `userid`='$userid' AND `id`='$id' AND `user`='$user'")or die(mysql_error());

    if(mysql_affected_rows($result) == 1){

          mysql_query("UPDATE `_______`.`______` SET `points`=`points`-'1' WHERE `id`='$userid' AND `username`='$user'")or die(mysql_error());
          mysql_query("INSERT INTO `________`.`_______` (`user`,`userid`,`amount`,`reason`) VALUES('$user', '$userid', '-1', 'Removed a comment')")or die(mysql_error());

    }

    mysql_close($con);

    ob_start();
    header("location:../view-article?id=$postid");
    ob_end_flush();

} //if there is a user
else {

    ob_start();
    header("location:http://boundsblazer.com/not-logged-in?url=articles.view-article:id=$postid");
    ob_end_flush();
}
?>

Answer 1

If register_globals is on, this line

$id = mysql_real_escape_string($_GET['id']);

possibly change the value of $_SESSION['id']. So please try again with register_globals off.