php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #21604 variables can be dynamically added to a class, without it being defined.
Submitted: 2003-01-12 22:46 UTC Modified: 2003-01-25 10:59 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: bmichael at goldparrot dot com Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.2.3 OS: Windows 2000 Server
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bmichael at goldparrot dot com
New email:
PHP Version: OS:

 

 [2003-01-12 22:46 UTC] bmichael at goldparrot dot com 
If you run the following script and check the output, you will see the that variable JUNK has been dynamically defined in the class X_Row() by using the statement:

  $user->query_row->JUNK = "stuff";

This behaviour certainly wasn't what I would expect.

-----------------------
<?php



 class X {
	 var $query_row;
	 
	 function X() {
		   $this->query_row = new X_Row();
		  return;
     }
  }
  
  class X_Row
  { 
   var $USERNAME;
   var $PASSWORD;
   var $CHECKING;
   
      function X_Row() {
			$this->USERNAME = NULL;
			$this->PASSWORD = NULL;
			$this->CHECKING = NULL;
       return;
       
   } //end function X_Row

 } //X_Row 
 

  $user = new X();
  //$user->query_row is of class X_Row
  
  //Therefore, the next statement should be valid, 
  //USERNAME has been declared in X_Row
  $user->query_row->USERNAME = 'mtl';
  
  //But the next statement shouldn't be
  //because the variable JUNK has not
  //been declared in the class
  $user->query_row->JUNK = 'stuff';
  
  $classname = get_class($user->query_row);
  $classvars = get_class_vars($classname);
  
  $query_row_class_vars = array_keys($classvars);
  
 
  echo "classname:{$classname}<br>";
  echo "classvars:<br>";
  var_dump($classvars);
  echo "<br>query_row_class_vars<br>";
  var_dump($query_row_class_vars);
  
  echo "<br><br>HOW IS THIS POSSIBLE? SEE BELOW!!!!!!!!!";
  echo "<br>user->query_row:<br>";
  var_dump($user->query_row);

?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-15 11:50 UTC] slowbyte at hot dot ee 
This is a "feature", not a bug. I can see good uses for this, my DataObject class uses this feature for dynamically adding instance variables from database records.
 [2003-01-15 20:11 UTC] bmichael at goldparrot dot com 
Can someone from an authority standpoint look into this?

If it is a feature, then it is potentially quite dangerous, 
both from a security standpoint as well as from on 
operational standpoint.

Why bother having class variables at all if that is the 
case?
 [2003-01-25 08:51 UTC] hholzgra@php.net 
for ZE1 this is definetly a (documented?) feature ...

i don't know about ZE2, but for backwards compatibility reasons i think this 'feature' will stay ...

any authoritative comments on this?
 [2003-01-25 10:59 UTC] derick@php.net 
Yup, this is a feature indeed and wont be fixed because of BC reasons.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 09 09:01:35 2025 UTC