php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26946 casting an object instance to array exports protected/private data
Submitted: 2004-01-17 11:12 UTC Modified: 2004-03-15 10:40 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: andrey@php.net Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 5CVS-2004-03-15 OS: *
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
45 + 43 = ?
Subscribe to this entry?

 
 [2004-01-17 11:12 UTC] andrey@php.net 
Description:
------------
casting an object to array gives the possibility to get the values of protected/private member variables :

IMO, when casting to array with (array) only the public-ly visible members should returned.

Andrey 

Reproduce code:
---------------
<?php
class some {
        public $pub = 1;
        protected $prot = 2;
        private $priv = 3;

}
var_dump((array)new some());

?>

Expected result:
----------------
array(3) {
  ["pub"]=>
  int(1)
}

Actual result:
--------------
array(3) {
  ["pub"]=>
  int(1)
  ["*prot"]=>
  int(2)
  ["somepriv"]=>
  int(3)
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-05 16:53 UTC] helly@php.net 
The solution is to manually loop through the property hash table and return properties only with respect to visibility like we do inside FE_FETCH opcode handler.
 [2004-03-15 10:29 UTC] sniper@php.net 
print_r() shows them too, even without the cast..
 [2004-03-15 10:33 UTC] andrey@php.net 
But print_r()'s output has to be parsed while a simple cast is enough to get the data straightly.
 [2004-03-15 10:40 UTC] derick@php.net 
So? They are not meant to hide data, only to enforce contracts.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 01:00:02 2025 UTC