php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17874 var_export prints to screen
Submitted: 2002-06-20 11:47 UTC Modified: 2002-06-20 12:12 UTC
From: che at atlantic dot net Assigned:
Status: Not a bug Package: Output Control
PHP Version: 4.2.0 OS: Windows 2000
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: che at atlantic dot net
New email:
PHP Version: OS:

 

 [2002-06-20 11:47 UTC] che at atlantic dot net 
The code below outputs to the screen. (Even with output buffering)

ob_start();
$v = var_export($GLOBALS, TRUE);
ob_end_clean();

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 12:02 UTC] che at atlantic dot net 
This is because GLOBALS is recursively linked to itself and it is causing var_export to die.
 [2002-06-20 12:12 UTC] sander@php.net 
Not a b. var_export() dies in recursive arrays. var_export() uses output buffering internally to deal with the second parameter. The (internal) ob_end_clean() call will never make it because PHP dies before it reaches that point and then it just outputs all buffers.
 [2003-09-14 11:20 UTC] icecube at fr dot fm 
<?
$foo=var_export($GLOBALS,TRUE);
?>
(whithout or not output buffering).

It's the same problem: var_export outputs to the screen $GLOBALS and then die with an error message.


So that's not a bug...
Ok now imagine you're using a this script in in your website, and you haven't noticed that error.
With an example it's more easy to understand:
<?

function save_anywhere($foo) {
$save=var_export($foo,TRUE);
/* ... */
}

save_anywhere(&$GLOBALS);

?>

You wish to save $GLOBALS for a any reason (log, ...) and what's the result ? var_export produces an error and outputs ALL your variables directly to the user, wich now can hack your site just because he has your $mdp = "..." :)


It's maybe not necessary to output a variable that was destinated (with the second parameter TRUE) to be stocked anywhere except in the user HD.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 05:00:01 2025 UTC