Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Assigning a value to a variable changes a session variable's value

Tags:

php

One of my PHP pages, which runs on a remote server allegedly with PHP 5.2 installed, receives a POST request with a set "passcode" key and then, as it seems, the most strange things may happen. In the following code, "passcode" of the POST request is redefined to make value tracking simpler for you guys, but in tests it still produces the supernatural output indicated in the comments.

$_POST["passcode"] = "hi";
$_SESSION["passcode"] = "hello";

echo $_SESSION["passcode"] . '<br />'; // prints "hello"
$passcode = $_POST["passcode"];
echo $_SESSION["passcode"] . '<br />'; // prints "hi"

EDIT: So looks like it's about register_globals. Hence is another question:

Is there any way to turn this behavior off if I don't have access to the php.ini file on the server I'm running the code on?

like image 488
Desmond Hume Avatar asked Jul 08 '26 00:07

Desmond Hume


2 Answers

Clearly, session variables are registered as globals.

like image 81
Michael Krelin - hacker Avatar answered Jul 10 '26 14:07

Michael Krelin - hacker


Smells like register_globals

If you can't edit your php.ini file, you can disable this setting in .htaccess file, as described here

like image 20
Mchl Avatar answered Jul 10 '26 15:07

Mchl



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!