|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44273 access to private and protected class variables allowed when casting to array
Submitted: 2008-02-27 20:49 UTC Modified: 2008-03-12 00:36 UTC
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: paulscheltema at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.2.5 OS: Windows XP / Linux Debian
Private report: No CVE-ID: None
 [2008-02-27 20:49 UTC] paulscheltema at gmail dot com
Hello dear developer(s),

When i setup a simple class with a protected/private var,
instanciate the class, and cast the instance to an array
i can access the protected/private var.

Reproduce code:
class test {
	public $public = 'public';
	private $private = 'private';
	protected $protected = 'protected';

$t = new test;
$a = (array)$t;

print '<br>public: '.$a['public'];
print '<br>private: '.$a["\0test\0private"];
print '<br>protected: '.$a["\0*\0protected"];

Expected result:

public: public

Or at most an Error like:
    Cannot access private property test::$private
as the value of the private property

Actual result:

public: public
private: private
protected: protected


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-03 13:41 UTC]
Private/protected is about visibility between _classes_ not with a class cast to an array. So what's the "bug" here?
 [2008-03-04 13:27 UTC] paulscheltema at gmail dot com
I think the bug is that I CAN access private / protected class data at runtime which neglects the whole point of private or protected data inside classes. It is to be protected!

Why else use private data if you can access it anyway? its useless then. its just obstruction instead of security. (security in terms of data integrity)

On the positive side at least i can not change the data.

And to refer to your reaction precisely, lets have two classes A and B
A is instanciated and has a private property x which is set, class B casts class A to an array and gains access to class A's private property x. This is not directly about visibility but it allows class B to "view" class A's private property x.
 [2008-03-05 14:03 UTC]
Yes, but can you _change_ it? (answer: no, not via that array..)
 [2008-03-05 14:25 UTC] paulscheltema at gmail dot com
well, i guess its ok then, its just not what im used to with some other languages

but i still think its wierd using protected to "protect" the data from the outside world, but not quite doing so.

i now know storing vital information such as passwords inside class variables even protected ones, doesnt help much.

so giving another developer access to an api doesnt protect me anymore either

but if its no bug since changing the data isnt possible that way, so be it.

and i have to say dont change the point:
first you say its about visibility, 
i explain why it is,
next you say it doesnt matter because you cant change its value
 [2008-03-11 22:04 UTC]
Maybe this explains it better:

class test {
   public $public = 'public';
   private $private = 'private';
   protected $protected = 'protected';
$t = new test;

And this will output everything, and it's expected and the correct behaviour. It's about the properties being isible/not-visible/writable to other classes. PPP is not meant for providing any security. 
(I admit, I'm bad at explaining things. :)

 [2008-03-11 22:06 UTC]
And last but not least, here's an excerpt from the manual (

"The visibility of a property or method can be defined by prefixing the declaration with the keywords: public, protected or private. Public declared items can be accessed everywhere. Protected limits access to inherited and parent classes (and to the class that defines the item). Private limits visibility only to the class that defines the item."
 [2008-03-12 00:36 UTC] paulscheltema at gmail dot com
ok, sorry for your time. 

It came on to me as being very strange behaviour.

Its just really annoying you cant hide variables inside classes that way.

But as the manual says its just about classes, nothing else.

Strange to see then that in newer php versions it is recommended (even throws an error using strict) to use private/protected/public when really it doesn't add anything but obstruction.

but again sorry for your time, and ty for the awnser.

PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC