|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21604 variables can be dynamically added to a class, without it being defined.
Submitted: 2003-01-12 22:46 UTC Modified: 2003-01-25 10:59 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: bmichael at goldparrot dot com Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.2.3 OS: Windows 2000 Server
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: bmichael at goldparrot dot com
New email:
PHP Version: OS:


 [2003-01-12 22:46 UTC] bmichael at goldparrot dot com
If you run the following script and check the output, you will see the that variable JUNK has been dynamically defined in the class X_Row() by using the statement:

  $user->query_row->JUNK = "stuff";

This behaviour certainly wasn't what I would expect.


 class X {
	 var $query_row;
	 function X() {
		   $this->query_row = new X_Row();
  class X_Row
   var $USERNAME;
   var $PASSWORD;
   var $CHECKING;
      function X_Row() {
			$this->USERNAME = NULL;
			$this->PASSWORD = NULL;
			$this->CHECKING = NULL;
   } //end function X_Row

 } //X_Row 

  $user = new X();
  //$user->query_row is of class X_Row
  //Therefore, the next statement should be valid, 
  //USERNAME has been declared in X_Row
  $user->query_row->USERNAME = 'mtl';
  //But the next statement shouldn't be
  //because the variable JUNK has not
  //been declared in the class
  $user->query_row->JUNK = 'stuff';
  $classname = get_class($user->query_row);
  $classvars = get_class_vars($classname);
  $query_row_class_vars = array_keys($classvars);
  echo "classname:{$classname}<br>";
  echo "classvars:<br>";
  echo "<br>query_row_class_vars<br>";
  echo "<br><br>HOW IS THIS POSSIBLE? SEE BELOW!!!!!!!!!";
  echo "<br>user->query_row:<br>";



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-15 11:50 UTC] slowbyte at hot dot ee
This is a "feature", not a bug. I can see good uses for this, my DataObject class uses this feature for dynamically adding instance variables from database records.
 [2003-01-15 20:11 UTC] bmichael at goldparrot dot com
Can someone from an authority standpoint look into this?

If it is a feature, then it is potentially quite dangerous, 
both from a security standpoint as well as from on 
operational standpoint.

Why bother having class variables at all if that is the 
 [2003-01-25 08:51 UTC]
for ZE1 this is definetly a (documented?) feature ...

i don't know about ZE2, but for backwards compatibility reasons i think this 'feature' will stay ...

any authoritative comments on this?

 [2003-01-25 10:59 UTC]
Yup, this is a feature indeed and wont be fixed because of BC reasons. 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Aug 14 00:05:44 2022 UTC