PHP :: Bug #21604 :: variables can be dynamically added to a class, without it being defined.

Bug #21604

variables can be dynamically added to a class, without it being defined.

Submitted:

2003-01-12 22:46 UTC

Modified:

2003-01-25 10:59 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

bmichael at goldparrot dot com

Assigned:

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

4.2.3

OS:

Windows 2000 Server

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 10 - 3 = ?
Subscribe to this entry?

[2003-01-12 22:46 UTC] bmichael at goldparrot dot com

If you run the following script and check the output, you will see the that variable JUNK has been dynamically defined in the class X_Row() by using the statement:

  $user->query_row->JUNK = "stuff";

This behaviour certainly wasn't what I would expect.

-----------------------
<?php



 class X {
	 var $query_row;
	 
	 function X() {
		   $this->query_row = new X_Row();
		  return;
     }
  }
  
  class X_Row
  { 
   var $USERNAME;
   var $PASSWORD;
   var $CHECKING;
   
      function X_Row() {
			$this->USERNAME = NULL;
			$this->PASSWORD = NULL;
			$this->CHECKING = NULL;
       return;
       
   } //end function X_Row

 } //X_Row 
 

  $user = new X();
  //$user->query_row is of class X_Row
  
  //Therefore, the next statement should be valid, 
  //USERNAME has been declared in X_Row
  $user->query_row->USERNAME = 'mtl';
  
  //But the next statement shouldn't be
  //because the variable JUNK has not
  //been declared in the class
  $user->query_row->JUNK = 'stuff';
  
  $classname = get_class($user->query_row);
  $classvars = get_class_vars($classname);
  
  $query_row_class_vars = array_keys($classvars);
  
 
  echo "classname:{$classname}<br>";
  echo "classvars:<br>";
  var_dump($classvars);
  echo "<br>query_row_class_vars<br>";
  var_dump($query_row_class_vars);
  
  echo "<br><br>HOW IS THIS POSSIBLE? SEE BELOW!!!!!!!!!";
  echo "<br>user->query_row:<br>";
  var_dump($user->query_row);

?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-15 11:50 UTC] slowbyte at hot dot ee

This is a "feature", not a bug. I can see good uses for this, my DataObject class uses this feature for dynamically adding instance variables from database records.

[2003-01-15 20:11 UTC] bmichael at goldparrot dot com

Can someone from an authority standpoint look into this?

If it is a feature, then it is potentially quite dangerous, 
both from a security standpoint as well as from on 
operational standpoint.

Why bother having class variables at all if that is the 
case?

[2003-01-25 08:51 UTC] hholzgra@php.net

for ZE1 this is definetly a (documented?) feature ...

i don't know about ZE2, but for backwards compatibility reasons i think this 'feature' will stay ...

any authoritative comments on this?

[2003-01-25 10:59 UTC] derick@php.net

Yup, this is a feature indeed and wont be fixed because of BC reasons.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 19:01:28 2024 UTC