loop through $POST to make $SESSION equivalent

Question

Would this be the correct way to loop through the $POST data sent by an API and have a equivalent $SESSION name/value pair be created from it?

foreach($_POST as $key=>$value)
{ $_SESSION['$key']=$value; }

UPDATE: First, thanks for the solid responses - I think I need to explain the problem I'm trying to overcome and why this functionality is being considered. The $_POST response is coming from a payment processor gateway - the problem is that since the payment form/processing is not on our domain the results of the payment (approved/declined etc. etc.) is being RELAYED to our server via $POST - When our PHP code tries to process the response data it looks for various PHP structures (Like php include 'file.php') under there domain instead of ours and errors out - I need to move the $POST data into a session and then move the person back to our domain so that the file/directory/resource tree is correct. Does this make sense what im encountering?

Answer 1

Since the POST is made by a payment gateway, the session will be associated with it (and most likely be lost at first request, since it can be assumed that it won't ever bother reading the session cookie).

Your client won't ever see this data in their session.

If you want to have this data available, you need to persist it somehow, if the payment gateway gives you exploitable client information. Possible solution are a database, key/value store...

Alternatively, it is common that the payment gateway will allow you to specify a link to redirect the client's browser to after the purchase. Getting the parameters from the POST, you could append them to the redirect URL to pass them back to your website as GET parameters.

Answer 2

If you really want to do it as you state, you could use something like

$_SESSION=array_merge($_SESSION,$_POST);

which would work but be a "bad thing" - plenty of scope to overwrite items already in the $_SESSION variable:

index.php:

<form action="2.php" method="post">
<input type="text" name="hidden" value="hidden">
<button type="submit">Click</button>
</form>

2.php:

<?php
session_start();
session_unset();
$_SESSION['hidden']="existing";
$_SESSION=array_merge($_SESSION,$_POST);

echo '<pre>'.print_r($_SESSION,true).'</pre>';

Better would be to use

$_SESSION['POST']=$_POST;

Obviously, perform any data checks you need to before doing this though

Answer 3

You could also use the array union operator:

$_SESSION = $_POST + $_SESSION;

This takes the values of $_POST and adds those values of $_SESSION whose keys are not already present in $_POST.

Answer 4

Ignoring the security issues this could cause depending on how you use it, what you could do is use:

$_SESSION = array_merge($_POST, $_SESSION);

This will only bring in POST vars which have a key not already found in $_SESSION. Switch them around if you want the POST vars to take precedence of course.

Just a quick note on security, if like a lot of people you use the session to store user id, what would happen if i sent a POST request to your script with userid=1?

All im saying is, be careful what you are doing with this. You'd be better off if possible doing as suggested and using a unique key in $_SESSION for post vars such as $_SESSION['post_vars'] = $_POST (or maybe ['form_data'] if you're using it to persist form data, which is usually why people do this).

Answer 5

Don't use single quotes:

foreach ($_POST as $key => $value) {
  $_SESSION[$key] = $value;
}

I'd encourage you to read about Strings in PHP.

Note: This is potentially unsafe for several reasons - mostly injection by key collision. Consider if I posted the logged in user id.

This could be mitigated through encapsulation:

$_SESSION['posted_data'] = $_POST;

Answer 6

Don't you rather want to keep them separated?

$_SESSION['response'] = $_POST;