One of my PHP pages, which runs on a remote server allegedly with PHP 5.2 installed, receives a POST request with a set "passcode" key and then, as it seems, the most strange things may happen. In the following code, "passcode" of the POST request is redefined to make value tracking simpler for you guys, but in tests it still produces the supernatural output indicated in the comments.
$_POST["passcode"] = "hi";
$_SESSION["passcode"] = "hello";
echo $_SESSION["passcode"] . '<br />'; // prints "hello"
$passcode = $_POST["passcode"];
echo $_SESSION["passcode"] . '<br />'; // prints "hi"
EDIT: So looks like it's about register_globals. Hence is another question:
Is there any way to turn this behavior off if I don't have access to the php.ini file on the server I'm running the code on?
Smells like register_globals
If you can't edit your php.ini file, you can disable this setting in .htaccess file, as described here
Clearly, session variables are registered as globals.
One possible reason it is possible is somewhere you have written
$_SESSION['passcode']=&$passcode;
Session Variables may be configured to be handled as Global Varibales and so can be accessed through $_SESSION["passcode"] as well as $passcode. check your PHP Configuration (register_Globals)
Change the name of the variable
$passcode
to something else.?