php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44273 access to private and protected class variables allowed when casting to array
Submitted: 2008-02-27 20:49 UTC Modified: 2008-03-12 00:36 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: paulscheltema at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.2.5 OS: Windows XP / Linux Debian
Private report: No CVE-ID: None
 [2008-02-27 20:49 UTC] paulscheltema at gmail dot com
Description:
------------
Hello dear developer(s),

When i setup a simple class with a protected/private var,
instanciate the class, and cast the instance to an array
i can access the protected/private var.


Reproduce code:
---------------
class test {
	public $public = 'public';
	private $private = 'private';
	protected $protected = 'protected';
}

$t = new test;
$a = (array)$t;

print '<br>public: '.$a['public'];
print '<br>private: '.$a["\0test\0private"];
print '<br>protected: '.$a["\0*\0protected"];

Expected result:
----------------
Expected:

public: public

Or at most an Error like:
    Cannot access private property test::$private
as the value of the private property



Actual result:
--------------
Result:

public: public
private: private
protected: protected

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-03 13:41 UTC] jani@php.net
Private/protected is about visibility between _classes_ not with a class cast to an array. So what's the "bug" here?
 [2008-03-04 13:27 UTC] paulscheltema at gmail dot com
I think the bug is that I CAN access private / protected class data at runtime which neglects the whole point of private or protected data inside classes. It is to be protected!

Why else use private data if you can access it anyway? its useless then. its just obstruction instead of security. (security in terms of data integrity)

On the positive side at least i can not change the data.

And to refer to your reaction precisely, lets have two classes A and B
A is instanciated and has a private property x which is set, class B casts class A to an array and gains access to class A's private property x. This is not directly about visibility but it allows class B to "view" class A's private property x.
 [2008-03-05 14:03 UTC] jani@php.net
Yes, but can you _change_ it? (answer: no, not via that array..)
 [2008-03-05 14:25 UTC] paulscheltema at gmail dot com
well, i guess its ok then, its just not what im used to with some other languages

but i still think its wierd using protected to "protect" the data from the outside world, but not quite doing so.

i now know storing vital information such as passwords inside class variables even protected ones, doesnt help much.

so giving another developer access to an api doesnt protect me anymore either

but if its no bug since changing the data isnt possible that way, so be it.

and i have to say dont change the point:
first you say its about visibility, 
i explain why it is,
next you say it doesnt matter because you cant change its value
 [2008-03-11 22:04 UTC] jani@php.net
Maybe this explains it better:
<?php

class test {
   public $public = 'public';
   private $private = 'private';
   protected $protected = 'protected';
}
$t = new test;
var_dump($t);
?>

And this will output everything, and it's expected and the correct behaviour. It's about the properties being isible/not-visible/writable to other classes. PPP is not meant for providing any security. 
(I admit, I'm bad at explaining things. :)


 [2008-03-11 22:06 UTC] jani@php.net
And last but not least, here's an excerpt from the manual (http://www.php.net/manual/en/language.oop5.visibility.php):

"The visibility of a property or method can be defined by prefixing the declaration with the keywords: public, protected or private. Public declared items can be accessed everywhere. Protected limits access to inherited and parent classes (and to the class that defines the item). Private limits visibility only to the class that defines the item."
 [2008-03-12 00:36 UTC] paulscheltema at gmail dot com
ok, sorry for your time. 

It came on to me as being very strange behaviour.

Its just really annoying you cant hide variables inside classes that way.

But as the manual says its just about classes, nothing else.

Strange to see then that in newer php versions it is recommended (even throws an error using strict) to use private/protected/public when really it doesn't add anything but obstruction.

but again sorry for your time, and ty for the awnser.

regards,
paul
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC