php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52428 $this isn't immutable
Submitted: 2010-07-24 11:36 UTC Modified: 2010-07-26 11:20 UTC
From: tyra3l at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tyra3l at gmail dot com
New email:
PHP Version: OS:

 

 [2010-07-24 11:36 UTC] tyra3l at gmail dot com 
Description:
------------
As some closed bug-reports and the "PHP Fatal error:  Cannot re-assign $this" 
states, the $this should be read-only/inmutable  in PHP5.
but with some tricks(variable variables mostly), you can walk-around this 
constraint.
See the Test script.
I don't know the importance of this restriction, and with reflection you can shoot 
you in the leg anyway, so maybe this can be left as is.

Test script:
---------------
<?php

error_reporting(E_ALL);

$var = new StdClass();
$var->foo = 'bar';

//$this = $var; // PHP Fatal error:  Cannot re-assign $this

$GLOBALS['this'] = $var;

var_dump($this);

$var->foo = 'baz';

$foo = 'this';
$$foo = $var;

var_dump($this);

foo($this);

function foo($this){
  //global $this; // PHP Fatal error:  Cannot re-assign $this
  // $this = $GLOBALS['var']; // PHP Fatal error:  Cannot re-assign $this
  var_dump($this);
  $GLOBALS['this']->foo = 'baw';
  $$GLOBALS['foo'] = $GLOBALS['this'];
  var_dump($this);
}


Expected result:
----------------
PHP Fatal error:  Cannot re-assign $this
for every attempt to overwrite $this

Actual result:
--------------
you can set $this in the global scope through $GLOBALS, with argument in 
functions, and with variable variables in everywhere.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-25 18:39 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-07-25 18:39 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head.
 [2010-07-25 18:50 UTC] tyra3l at gmail dot com 
Thanks for the clarification.

Did I something wrong in the report, or you just copypasted the "Thank you for 
taking the time to write to us..." part of your comment?

Maybe it would be a good thing to add this conclusion to the documentation 
(reassigning this isn't allowed, because ..., if you try it, it will give you an 
error "Cannot re-assign this..." [if you really need this, you can do...])

Tyrael
 [2010-07-26 10:32 UTC] dagdamor10 at mail dot ru 
>> If you want you can shoot yourself in your head.

Okay, that was plain rude.

PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it.
 [2010-07-26 10:51 UTC] tyra3l at gmail dot com 
"what about abolishing everything related to safe_mode"
safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next 
major php version.

Tyrael
 [2010-07-26 11:20 UTC] degeberg@php.net 
@dagdamor10: This has nothing to do with exploits at all. It poses no security risk being able to modify the $this variable by circumventing the simple check that is implemented.
 [2010-07-26 11:30 UTC] tyra3l at gmail dot com 
There was some reason for this check to be placed.
My problem with this behaviour that the 
$bar = 'baz';
should work the same as 
$foo='bar';$$foo = 'baz'; 
and same for the $foo vs $GLOBALS['foo']

Tyrael
 [2012-02-24 15:15 UTC] stelian dot mocanita at gmail dot com 
I strongly disagree with this not being a bug. I came across some old code where 
I had $this->object out of a class context and it took me a lot of hours to 
track and still did not get to the bottom of it.

More than that, this is lacking consistency. It can't allow me to assign a value 
to $this using globals / variable variables and not allow me to assign it a 
value otherwise.

As far as I see it it's either: $this can be overwritten by any assignation 
method in php or it can't be overwritten at all. Allowing people to shoot 
themselves is a bad practice and it leads to shooting someone.

Thank you,
Stelian
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Apr 28 08:01:28 2025 UTC