1

Here is what I'm trying to do:

$username = 'john';
$_SESSION['data'] = "Hello ".$username;


$username = 'mike';
$new = $_SESSION['data']; // trying make it like: $new = "Hello ".$username;
echo $new // should output: "Hello Mike"

I'm trying to save a phrase with a dynamic variable into a $_SESSION variable, so the phrase can later be change on a different page depending on the dynamic variable.

Is this possible, and how can it be done?

peppy
  • 173
  • 2
  • 17
  • 1
    You cannot do that (fortunately) – zerkms Jul 21 '16 at 22:44
  • Solving this is not trivial, and I'm getting the distinct impression that you're trying to solve another problem than you're posing here (i.o.w., [an XY problem](http://xyproblem.info/)). In any case, the solution would probably involve storing a string template in `$_SESSION['data']`, and then passing all relevant variables to the template engine. Again, not at all trivial, but there's really no other way to solve the *exact* problem you posed. So: what is the problem you're trying to solve? –  Jul 21 '16 at 22:50
  • In production, I'm trying to save an SQL statement into Session created from a massive and elaborate $_POST variable and SQL building calculation. When a user clicks "page 2", simply change the "Offet, Limit" part of my SQL statement instead of running the elaborate script over, and not having to saving 50 different $_POST variables into session variables. – peppy Jul 21 '16 at 22:52

4 Answers4

0

It will not work the way you have it written, because the value you have stored in the session is a completely new value made using the value of the $username variable. As soon as it has been created, the value in the session is not associated with the $username variable whatsoever.

You can store the name and the phrase in the session separately, so they can be modified independently, and then combine them together later at the time you need to use them together.

For the specific case in your comment, storing the SQL string for a prepared statement with placeholders should work.

$_SESSION['statement'] = "SELECT some_columns FROM some_table LIMIT ?, ?";
$_SESSION['limit'] = $limit;
$_SESSION['offset'] = $offset;

You can't store the prepared statement itself, but you can store the SQL string, and then prepare and execute it in subsequent pages.

$stmt = $pdo->prepare($_SESSION['statement']);
$stmt->execute([ $_SESSION['limit'], $_SESSION['offset'] ]);

Just remember when you are ready to bind values to it on your next page before executing it that you need to specify that they should be bound as integers or disable emulated prepared statements.

Community
  • 1
  • 1
Don't Panic
  • 41,125
  • 10
  • 61
  • 80
0

You could use string formatting for that. Take a look:

$username = 'John'; // not really needed for this test
$_SESSION['data'] = "Hello %s";


$username = 'Mike';
$text = sprintf($_SESSION['data'], $username);
echo $text

Output:

Hello mike

See the code in action here.

FirstOne
  • 6,033
  • 7
  • 26
  • 45
  • I know... This _might_ not be the answer for that specific problem (specially based on the OP's comment), but it can help others that end up on this question... – FirstOne Jul 21 '16 at 23:27
0

If you want to add new element in the session array then you can push new element in the session array as follows:

array_push($_SESSION['data'],$element)
PHP Geek
  • 3,949
  • 1
  • 16
  • 32
-2

You could do something like this:

$username = 'john';
$_SESSION['data'] = 'echo "Hello $username";';


$username = 'mike';
eval($_SESSION['data']);

But I don't know why you'd want to, there are millions of ways you could achieve the results you want, an approach like this probably isn't the best.

Nunchy
  • 948
  • 5
  • 11
  • Barry, is that how you get RCE vulnerabillities? Yes, it is, other Barry, yes, it is. –  Jul 21 '16 at 23:05
  • Didn't quite catch your name, Barry, was it?Nobody said it was a good idea, barry 1 and 2. – Nunchy Jul 21 '16 at 23:09