I have some data-injection code in place in an innocuous-looking block of code. Basically it's something along the lines of:
Code: Select all
foreach ($_POST as $key => $value) {
$$key = $value;
}
This is fine as is, as the key thing I need to overwrite is above this block in the code, but it would be awesome if I could also mess with the $_SESSION variable. Unfortunately, when I submit a POST with an element named something like "$_SESSION[uid]" it does indeed include my input in $_SESSION['uid'], but it clears the rest of it out, resulting in a $_SESSION variable that contains
only the new field.
According to the PHP docs "variable variables cannot be used with PHP's Superglobal arrays within functions or class methods" -- however while $_SESSION is a superglobal, this code is not in a function or method, so it's not out of the question. Any PHP geeks know of a way around this?
note: yes obviously I could handle session values separately but that would look mighty suspicious, and this code needs to pass visual inspectionIf you would be unloved and forgotten, be reasonable.
