php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #70088 is_callable() doesn't check if a class/method syntax is valid
Submitted: 2015-07-16 12:53 UTC Modified: 2015-07-16 15:59 UTC
From: olivier dot laviale at gmail dot com Assigned:
Status: Open Package: Variables related
PHP Version: 5.6.11 OS: MacOS, Linux
Private report: No CVE-ID: None
 [2015-07-16 12:53 UTC] olivier dot laviale at gmail dot com
Description:
------------
is_callable(), with _syntax_only_ activated, only checks the type of the argument, not the actual syntax. For example "+{^not&a*callable}" is considered a callable just because it is a string.

I saw this bug report: https://bugs.php.net/bug.php?id=64185&edit=2, and I get it for class names, but what about function/method names? "+{^not&a*callable}" is definitely not a callable, or the parameter "syntax_only" is incredibly misleading.

Test script:
---------------
var_dump(is_callable('+{^not&a*callable}', true, $callable_name));
var_dump($callable_name);
var_dump(is_callable(123, true));
var_dump(is_callable("123", true));
var_dump(is_callable([ "1", "2" ], true));

Expected result:
----------------
`"+{^not&a*callable}"` shouldn't be considred as a callable, neither should `[ "1", "2" ]`.

bool(false)
null
bool(false)
bool(false)
bool(false)

Actual result:
--------------
bool(true)
string(18) "+{^not&a*callable}"
bool(false)
bool(true)
bool(true)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-16 13:33 UTC] ab@php.net
Maybe it could be improved if we check whether an object has __call() defined. But if it has __call() - there's no chance to know exactly what is callable, say this would work $obj->{"+{^not&a*callable}"}();. But I'd rather tend to say it is not a bug.

Thanks.
 [2015-07-16 13:50 UTC] olivier dot laviale at gmail dot com
Yes, you can invoke methods with invalid names if __call() is implemented, I don't think it's right, but that's a fact. My point is that the following code should return `false`:

var_dump(is_callable('+{^not&a*callable}', true, $callable_name));

Unless '+{^not&a*callable}' is a valid function name.

Also, I strongly believe that "syntax_only" is misleading. This is not syntax check, this is type check: a string, or an array with two values.
 [2015-07-16 15:59 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem -Package: Scripting Engine problem +Package: Variables related
 [2015-07-16 15:59 UTC] cmb@php.net
> Unless '+{^not&a*callable}' is a valid function name.

Well, this is a valid function name, e.g.

    $func = '+{^not&a*callable}';
    runkit_function_copy('strlen', $func);
    $func('foo'); // => 3
    is_callable($func, false); // => true
    
If is_callable($func, false) may return true, is_callable($func,
true) should never return false.

> Also, I strongly believe that "syntax_only" is misleading.

ACK. Therefore I'm changing to doc bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC