php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17874 var_export prints to screen
Submitted: 2002-06-20 11:47 UTC Modified: 2002-06-20 12:12 UTC
From: che at atlantic dot net Assigned:
Status: Not a bug Package: Output Control
PHP Version: 4.2.0 OS: Windows 2000
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: che at atlantic dot net
New email:
PHP Version: OS:

 

 [2002-06-20 11:47 UTC] che at atlantic dot net
The code below outputs to the screen. (Even with output buffering)

ob_start();
$v = var_export($GLOBALS, TRUE);
ob_end_clean();

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 12:02 UTC] che at atlantic dot net
This is because GLOBALS is recursively linked to itself and it is causing var_export to die.
 [2002-06-20 12:12 UTC] sander@php.net
Not a b. var_export() dies in recursive arrays. var_export() uses output buffering internally to deal with the second parameter. The (internal) ob_end_clean() call will never make it because PHP dies before it reaches that point and then it just outputs all buffers.
 [2003-09-14 11:20 UTC] icecube at fr dot fm
<?
$foo=var_export($GLOBALS,TRUE);
?>
(whithout or not output buffering).

It's the same problem: var_export outputs to the screen $GLOBALS and then die with an error message.


So that's not a bug...
Ok now imagine you're using a this script in in your website, and you haven't noticed that error.
With an example it's more easy to understand:
<?

function save_anywhere($foo) {
$save=var_export($foo,TRUE);
/* ... */
}

save_anywhere(&$GLOBALS);

?>

You wish to save $GLOBALS for a any reason (log, ...) and what's the result ? var_export produces an error and outputs ALL your variables directly to the user, wich now can hack your site just because he has your $mdp = "..." :)


It's maybe not necessary to output a variable that was destinated (with the second parameter TRUE) to be stocked anywhere except in the user HD.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 22:01:28 2024 UTC