php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21604 variables can be dynamically added to a class, without it being defined.
Submitted: 2003-01-12 22:46 UTC Modified: 2003-01-25 10:59 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: bmichael at goldparrot dot com Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.2.3 OS: Windows 2000 Server
Private report: No CVE-ID: None
 [2003-01-12 22:46 UTC] bmichael at goldparrot dot com
If you run the following script and check the output, you will see the that variable JUNK has been dynamically defined in the class X_Row() by using the statement:

  $user->query_row->JUNK = "stuff";

This behaviour certainly wasn't what I would expect.

-----------------------
<?php



 class X {
	 var $query_row;
	 
	 function X() {
		   $this->query_row = new X_Row();
		  return;
     }
  }
  
  class X_Row
  { 
   var $USERNAME;
   var $PASSWORD;
   var $CHECKING;
   
      function X_Row() {
			$this->USERNAME = NULL;
			$this->PASSWORD = NULL;
			$this->CHECKING = NULL;
       return;
       
   } //end function X_Row

 } //X_Row 
 

  $user = new X();
  //$user->query_row is of class X_Row
  
  //Therefore, the next statement should be valid, 
  //USERNAME has been declared in X_Row
  $user->query_row->USERNAME = 'mtl';
  
  //But the next statement shouldn't be
  //because the variable JUNK has not
  //been declared in the class
  $user->query_row->JUNK = 'stuff';
  
  $classname = get_class($user->query_row);
  $classvars = get_class_vars($classname);
  
  $query_row_class_vars = array_keys($classvars);
  
 
  echo "classname:{$classname}<br>";
  echo "classvars:<br>";
  var_dump($classvars);
  echo "<br>query_row_class_vars<br>";
  var_dump($query_row_class_vars);
  
  echo "<br><br>HOW IS THIS POSSIBLE? SEE BELOW!!!!!!!!!";
  echo "<br>user->query_row:<br>";
  var_dump($user->query_row);

?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-15 11:50 UTC] slowbyte at hot dot ee
This is a "feature", not a bug. I can see good uses for this, my DataObject class uses this feature for dynamically adding instance variables from database records.
 [2003-01-15 20:11 UTC] bmichael at goldparrot dot com
Can someone from an authority standpoint look into this?

If it is a feature, then it is potentially quite dangerous, 
both from a security standpoint as well as from on 
operational standpoint.

Why bother having class variables at all if that is the 
case?
 [2003-01-25 08:51 UTC] hholzgra@php.net
for ZE1 this is definetly a (documented?) feature ...

i don't know about ZE2, but for backwards compatibility reasons i think this 'feature' will stay ...

any authoritative comments on this?


 [2003-01-25 10:59 UTC] derick@php.net
Yup, this is a feature indeed and wont be fixed because of BC reasons. 
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Oct 25 07:00:02 2025 UTC