php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60431 private Array
Submitted: 2011-12-02 12:03 UTC Modified: 2011-12-02 12:22 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kapsonfire at gmx dot de Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: 5.3.8 OS: Debian Squeeze
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kapsonfire at gmx dot de
New email:
PHP Version: OS:

 

 [2011-12-02 12:03 UTC] kapsonfire at gmx dot de 
Description:
------------
Using an private array in a Class as Data Layer become readale outside of class with print_r

Test script:
---------------
<?php
//test.php
require "classes/Item.class.php";
require "classes/User.class.php";

session_start();
//DB SHIT

$item = new Item(1);

echo "<pre>ITEMOBJECT:<br>".(print_r($item,true))."</pre>";
?>



<?php
// classes/Item.class.php
class Item {
    private $DATA=array();
    private $OWNER=null;
    public function __construct($itemID) {
        $item = mysql_fetch_assoc(mysql_query("SELECT * FROM w1_items WHERE itemid = $itemID"));
        $keys = array_keys($item);
        foreach($keys as $key)
        {
            
            $this->DATA[$key] = $item[$key];
        }
        
    }
    
       
}


Expected result:
----------------
ITEMOBJECT:
Item Object
(
    [DATA:Item:private] => Array
        (
            [itemid] => 1
            [uid] => 2
        )

    [OWNER:Item:private] => 
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-02 12:11 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2011-12-02 12:11 UTC] pajoye@php.net 
Release\php.exe -n -r "class f {private $f=1;} $a = new f; $a->f;"

Fatal error: Cannot access private property f::$f in Command line code on line 1

print_r/var_dump are only a debugging/informative functions.
 [2011-12-02 12:15 UTC] kapsonfire at gmx dot de 
Well, but this only happens with arrays used as datalayer in this way.
The $OWNER isn't readable outside with print_r after creating an instance on it.
 [2011-12-02 12:22 UTC] pajoye@php.net 
No, it is not readable. Using:

class Item {
   private $DATA=array();
   private $OWNER=null;
   public function __construct($itemID) {
   }
}
$a = new Item(1);
$a->DATA;

PHP Fatal error:  Cannot access private property Item::$DATA in 
/home/pierre/60431.php on line 14
 [2011-12-03 16:52 UTC] kapsonfire at gmx dot de 
The problem is that private vars shouldn't be readable for security reasons.
Even in debugging purposes....

if you create an instance of a class on $owner, which is private
it isn`t readable with print_r


of course, using $class->attribut doesn't work
but private variables should never readable outside of the class
if they are still readable with debugging methods it's still a security leak for me
and i don't believe its expected to be readable, because then there should be all private variables be readable via print_r
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 15:01:36 2025 UTC