One of my PHP pages, which runs on a remote server allegedly with PHP 5.2 installed, receives a POST request with a set “passcode” key and then, as it seems, the most strange things may happen. In the following code, “passcode” of the POST request is redefined to make value tracking simpler for you guys, but in tests it still produces the supernatural output indicated in the comments.
$_POST["passcode"] = "hi";
$_SESSION["passcode"] = "hello";
echo $_SESSION["passcode"] . '<br />'; // prints "hello"
$passcode = $_POST["passcode"];
echo $_SESSION["passcode"] . '<br />'; // prints "hi"
EDIT: So looks like it’s about register_globals. Hence is another question:
Is there any way to turn this behavior off if I don’t have access to the php.ini file on the server I’m running the code on?
Smells like register_globals
If you can’t edit your
php.inifile, you can disable this setting in.htaccessfile, as described here