php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52685 Getting value from private/protected atribute.
Submitted: 2010-08-24 12:13 UTC Modified: 2010-08-24 12:17 UTC
From: junior_xkr at hotmail dot com Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: Irrelevant OS: Windows
Private report: No CVE-ID: None
 [2010-08-24 12:13 UTC] junior_xkr at hotmail dot com
Description:
------------
Using the function print_r(), you can view content of an class attribute:

class Object
(
    [attribute:private] => value
    [fvox:protected] => synyster
)

But, if you try to access outside of class, the script will throw an exception:
$fx = new fvox;
echo $fx->synyster;

Result:
Fatal error: Cannot access private property class::$fvox in ...

I don't know if it's really a bug, but i think it isn't safe.

Test script:
---------------
<?
class fvox {
	private $synyster = 'invaders';
	protected $fx = 'junior';
}
function getVars($class){
	eval('$of = new '.$class);
	ob_start();
	print_r($of);
	$buf = ob_get_contents();
	ob_end_clean();
	preg_match_all('/\[([^:]+):(private|protected)]/i', $buf, $vars);
	preg_match_all('/=> (.+)/i', $buf, $values);
	$r = array();
	for($i=0;$i<count($vars[1]);$i++)
		$r[$vars[1][$i]] = $values[1][$i];
	return $r;
}
print_r(getVars('fvox();'));
?>

Expected result:
----------------
Array
(
)


Actual result:
--------------
Array
(
    [synyster] => invaders
    [fx] => junior
)


Patches

print_r (last revision 2010-08-24 10:17 UTC by junior_xkr at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-24 12:17 UTC] aharvey@php.net
-Status: Open +Status: Bogus
 [2010-08-24 12:17 UTC] aharvey@php.net
This is by design: protected and private aren't security measures, nor are they intended to be.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 01 01:01:28 2024 UTC