-- Jan Pieper <[EMAIL PROTECTED]> wrote (on Thursday, 08 February 2007, 09:30 PM +0100):You are right but the content of a private property will be manipulated and I think it is the same if you change a private property directly or the content of it. You are changing its state.Even in the example shown in the bug, you still can't manipulate the property via direct access. The examples shows this: class Foobar { private $oObject; public function __construct() { $this->oObject = new stdClass; } } $oFoobar = new Foobar; $aProperties = (array)$oFoobar; foreach ($aProperties as $mProperty) { if (is_object($mProperty) && ($mProperty instanceof stdClass)) { $mProperty->blaaa = 'fooo'; } } While this has the side-effect of modifying the object in Foobar::$oObject, you cannot do any of the following: echo $oFoobar->oObject->blaaa; $oFoobar->oObject->blaaa = 'bar'; Furthermore, if you are storing non-object data in a property, the example fails anyways -- the data in the object is not modified. The kind of introspection shown is actually pretty useful, as you can use it in testing to ensure that certain properties are being updated, even if they have no public accessors.Hmm, the bug report doesn't try changing a private property. It changes the public properties of the StdClass. StdClass's properties are always public.Am i missing something? Andriesss Thomas Weidner schreef:Hy,a friend of mine asked me why someone can change private and protected properties from an class within PHP.From my understanding of OOP and class handling a private property must notbe changed or visible from outside the class.And protected properties should only be visible and changeable from the own or an extended class.This was the reason why I was wondering as my friend showed me how to access and change private properties...He also made an entry within bugs.php.net but the php developers said this is no bug but a feature and closed the issue.http://bugs.php.net/bug.php?id=40402 So I would like to ask the community what do you think...Changing and accessing private properties from everywhere outside the class object ??Is this normal behaviour ?? Was my prof at the university wrong with standard oop definitions ?? Greetings Thomas
Okay, it is no security lack, and you cannot manipulate non object
properties but it also shouldn´t be possible to change a state of an
private property containing an object. It is very abstract but there is
the possibility to manipulate the object and i think it is an error. You
must not have the chance to change the state of any protected or private
property from outside the class.
- Re: [fw-general] PHP5 Security Jan Pieper
- Re: [fw-general] PHP5 Security Matthew Ratzloff
- Re: [fw-general] PHP5 Security Christian Wittwer
- Re: [fw-general] PHP5 Security Jan Pieper
- Re: [fw-general] PHP5 Security Thomas Weidner
- Re: [fw-general] PHP5 Security Stanislav Malyshev
