Edit report at https://bugs.php.net/bug.php?id=39118&edit=1
ID: 39118
Comment by: sup at sags-per-mail dot de
Reported by: steve at mountainmedia dot com
Summary: Private members accessible to print_r
Status: Not a bug
Type: Bug
Package: Class/Object related
Operating System: Fedora Core 4/Linux 2.6.14.3
PHP Version: 5.1.6
Block user comment: N
Private report: N
New Comment:
It is possible to prevent the output of sensitive private data by creating an
anonymous function, but the object is not serializable anymore.
This should work with PHP 4 >= 4.0.1 and PHP 5 (based on the documentation of
the used functions).
code:
-----
<?php
class Credentials {
private $_user;
private $_password;
function __construct($user, $password) {
$this->_user = $user;
//uses base64 to get sure the string is escaped
$base64 = base64_encode($password);
$function = "return base64_decode('" . $base64 . "');";
$this->_password = create_function("", $function);
}
public function getUser() {
return $this->_user;
}
public function getPassword() {
return call_user_func($this->_password);
}
}
$credentials = new Credentials("theUserName", "thePassKey");
echo "\n\nprint_r:\n";
print_r($credentials);
echo "\n\nvar_dump:\n";
var_dump($credentials);
echo "\n\nvar_export:\n";
var_export($credentials);
output:
-----
print_r:
Credentials Object
(
[_user:Credentials:private] => theUserName
[_password:Credentials:private] => lambda_1
)
var_dump:
object(Credentials)#1 (2) {
["_user":"Credentials":private]=>
string(11) "theUserName"
["_password":"Credentials":private]=>
string(9) "lambda_1"
}
var_export:
Credentials::__set_state(array(
'_user' => 'theUserName',
'_password' => '' . "\0" . 'lambda_1',
))
Previous Comments:
------------------------------------------------------------------------
[2011-05-29 08:51:50] [email protected]
There are many ways to get at private methods and properties. One of which is
simply looking at the source code. PHP is not a compiled language. The
visibility
feature is simply a runtime hint, it is not meant in any way to protect the
code,
and debugging functions such as var_dump and print_r are going to show the full
objects.
------------------------------------------------------------------------
[2011-05-29 08:41:08] x at x dot com
Please, this is silly. Private and protected variables should be just that.
------------------------------------------------------------------------
[2006-10-11 18:56:59] [email protected]
Why don't you simply disable these functions?
------------------------------------------------------------------------
[2006-10-10 18:19:03] steve at mountainmedia dot com
"print_r(), var_dump() and var_export() will also show protected and private
properties of objects with PHP 5."
Can this behavior be disabled? A new feature perhaps?
------------------------------------------------------------------------
[2006-10-10 16:47:59] [email protected]
http://php.net/print_r
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=39118
--
Edit this bug report at https://bugs.php.net/bug.php?id=39118&edit=1
