php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44031 vprint treats private object elements as array elements
Submitted: 2008-02-03 12:50 UTC Modified: 2020-12-21 22:02 UTC
Votes:7
Avg. Score:3.6 ± 0.9
Reproduced:5 of 6 (83.3%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: m dot beyer5 at gmx dot de Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 5.2.5 OS: Debian Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: m dot beyer5 at gmx dot de
New email:
PHP Version: OS:

 

 [2008-02-03 12:50 UTC] m dot beyer5 at gmx dot de 
Description:
------------
If an object is supplied instead of an array, v(s)printf takes the internal object elements as elements despite of its visibility.
This is not only quite annoying but could be a security issue as well.

Reproduce code:
---------------
class foo
{
    private $x = 1;
    private $y = 2;
    
}

$array = new foo;
vprintf('%s < %s',$array);

Expected result:
----------------
An E_WARNING should be triggered.
Alternatively, vprintf could take an object instantiating or extending ArrayObject and behave according to the objects functions.

Actual result:
--------------
vprintf prints:

1 < 2

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-17 18:28 UTC] cmb@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2015-05-17 18:28 UTC] cmb@php.net 
The behavior is not particularly related to vprinf(), but that is
rather how casting objects to arrays work in PHP, see
<http://3v4l.org/3R6QT>.
 [2016-02-21 12:40 UTC] nikic@php.net
-Type: Feature/Change Request +Type: Bug
 [2016-02-21 12:40 UTC] nikic@php.net 
This is an artifact of vprintf not using zpp properly, it does manual argument handling instead and does it incorrectly.
 [2020-12-21 22:00 UTC] sji at sj-i dot dev 
Cannot reproduce this on PHP 8.0.0 anymore.
https://3v4l.org/rXPtL
 [2020-12-21 22:02 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-12-21 22:02 UTC] nikic@php.net 
Closing per above comment.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 23:01:33 2025 UTC