php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52428 $this isn't immutable
Submitted: 2010-07-24 11:36 UTC Modified: 2010-07-26 11:20 UTC
From: tyra3l at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tyra3l at gmail dot com
New email:
PHP Version: OS:

 

 [2010-07-24 11:36 UTC] tyra3l at gmail dot com 
Description:
------------
As some closed bug-reports and the "PHP Fatal error:  Cannot re-assign $this" 
states, the $this should be read-only/inmutable  in PHP5.
but with some tricks(variable variables mostly), you can walk-around this 
constraint.
See the Test script.
I don't know the importance of this restriction, and with reflection you can shoot 
you in the leg anyway, so maybe this can be left as is.

Test script:
---------------
<?php

error_reporting(E_ALL);

$var = new StdClass();
$var->foo = 'bar';

//$this = $var; // PHP Fatal error:  Cannot re-assign $this

$GLOBALS['this'] = $var;

var_dump($this);

$var->foo = 'baz';

$foo = 'this';
$$foo = $var;

var_dump($this);

foo($this);

function foo($this){
  //global $this; // PHP Fatal error:  Cannot re-assign $this
  // $this = $GLOBALS['var']; // PHP Fatal error:  Cannot re-assign $this
  var_dump($this);
  $GLOBALS['this']->foo = 'baw';
  $$GLOBALS['foo'] = $GLOBALS['this'];
  var_dump($this);
}


Expected result:
----------------
PHP Fatal error:  Cannot re-assign $this
for every attempt to overwrite $this

Actual result:
--------------
you can set $this in the global scope through $GLOBALS, with argument in 
functions, and with variable variables in everywhere.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-25 18:39 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-07-25 18:39 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head.
 [2010-07-25 18:50 UTC] tyra3l at gmail dot com 
Thanks for the clarification.

Did I something wrong in the report, or you just copypasted the "Thank you for 
taking the time to write to us..." part of your comment?

Maybe it would be a good thing to add this conclusion to the documentation 
(reassigning this isn't allowed, because ..., if you try it, it will give you an 
error "Cannot re-assign this..." [if you really need this, you can do...])

Tyrael
 [2010-07-26 10:32 UTC] dagdamor10 at mail dot ru 
>> If you want you can shoot yourself in your head.

Okay, that was plain rude.

PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it.
 [2010-07-26 10:51 UTC] tyra3l at gmail dot com 
"what about abolishing everything related to safe_mode"
safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next 
major php version.

Tyrael
 [2010-07-26 11:20 UTC] degeberg@php.net 
@dagdamor10: This has nothing to do with exploits at all. It poses no security risk being able to modify the $this variable by circumventing the simple check that is implemented.
 [2010-07-26 11:30 UTC] tyra3l at gmail dot com 
There was some reason for this check to be placed.
My problem with this behaviour that the 
$bar = 'baz';
should work the same as 
$foo='bar';$$foo = 'baz'; 
and same for the $foo vs $GLOBALS['foo']

Tyrael
 [2012-02-24 15:15 UTC] stelian dot mocanita at gmail dot com 
I strongly disagree with this not being a bug. I came across some old code where 
I had $this->object out of a class context and it took me a lot of hours to 
track and still did not get to the bottom of it.

More than that, this is lacking consistency. It can't allow me to assign a value 
to $this using globals / variable variables and not allow me to assign it a 
value otherwise.

As far as I see it it's either: $this can be overwritten by any assignation 
method in php or it can't be overwritten at all. Allowing people to shoot 
themselves is a bad practice and it leads to shooting someone.

Thank you,
Stelian
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 05 21:01:30 2024 UTC