PHP :: Request #35806 :: Enable/Disable debug functions from accessing protected/private elements

Enable/Disable debug functions from accessing protected/private elements

Submitted:

2005-12-26 15:40 UTC

Modified:

2005-12-27 21:51 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

mega-squall at caramail dot com

Assigned:

Status:

Wont fix

Package:

Feature/Change Request

PHP Version:

5.1.1

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mega-squall at caramail dot com
New email:
PHP Version:		OS:

New Comment:

[2005-12-26 15:40 UTC] mega-squall at caramail dot com

Description:
------------
Debug functions (print_r(), var_export()) may access protected/private elements of objects for debugging puposes, but such a behavior might be a security hole for some scripts on production status.

I suggest to add a configuration property which may enable or disable such functions from acessing private/protected elements, for instance in the php.ini ...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-26 21:19 UTC] derick@php.net

Those debugging functions should not be used in production at all... they are debugging features. And if they cause security problems you're definitely doing something very wrong...

[2005-12-27 21:51 UTC] mega-squall at caramail dot com

I was thinking of a customizable portal for instance. It would allow some users (devlopers of the actual portal) to add/edit/delete pages or modules. When the portal is quite large, there would be many devs. Some may not have access to all parts of the site administration. But what if a verous dev wrote an hidden page with a print_r ($db->password); ?

Is such a project beyond the aim of PHP ?

[2005-12-27 21:51 UTC] mega-squall at caramail dot com

I was thinking of a customizable portal for instance. It would allow some users (devlopers of the actual portal) to add/edit/delete pages or modules. When the portal is quite large, there would be many devs. Some may not have access to all parts of the site administration. But what if a verous dev wrote an hidden page with a print_r ($db->password); ?

Is such a project beyond the aim of PHP ?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 17 04:01:33 2025 UTC