One of my PHP pages, which runs on a remote server allegedly with PHP 5.2 installed, receives a POST request with a set "passcode" key and then, as it seems, the most strange things may happen. In the following code, "passcode" of the POST request is redefined to make value tracking simpler for you guys, but in tests it still produces the supernatural output indicated in the comments.
$_POST["passcode"] = "hi";
$_SESSION["passcode"] = "hello";
echo $_SESSION["passcode"] . '<br />'; // prints "hello"
$passcode = $_POST["passcode"];
echo $_SESSION["passcode"] . '<br />'; // prints "hi"
EDIT: So looks like it's about register_globals. Hence is another question:
Is there any way to turn this behavior off if I don't have access to the php.ini file on the server I'm running the code on?
Clearly, session variables are registered as globals.
Smells like register_globals
If you can't edit your php.ini file, you can disable this setting in .htaccess file, as described here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With