ID: 39118 Updated by: [EMAIL PROTECTED] Reported By: steve at mountainmedia dot com Status: Bogus Bug Type: Class/Object related Operating System: Fedora Core 4/Linux 2.6.14.3 PHP Version: 5.1.6 New Comment:
Why don't you simply disable these functions? Previous Comments: ------------------------------------------------------------------------ [2006-10-10 18:19:03] steve at mountainmedia dot com "print_r(), var_dump() and var_export() will also show protected and private properties of objects with PHP 5." Can this behavior be disabled? A new feature perhaps? ------------------------------------------------------------------------ [2006-10-10 16:47:59] [EMAIL PROTECTED] http://php.net/print_r ------------------------------------------------------------------------ [2006-10-10 16:40:16] steve at mountainmedia dot com "The visibility of a property or method can be defined by prefixing the declaration with the keywords: public, protected or private. Public declared items can be accessed everywhere. Protected limits access to inherited and parent classes (and to the class that defines the item). Private limits visibility only to the class that defines the item." How do you see this as not a bug considering that last statement in the documentation on Visibility in PHP 5 Classes (see http://us2.php.net/manual/en/language.oop5.visibility.php). This is either a bug or bad documentation. In all logic and understanding, the visibility of a private property should be hidden from any functions such as print_r, overriding the purpose of print_r. ------------------------------------------------------------------------ [2006-10-10 16:22:07] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php ------------------------------------------------------------------------ [2006-10-10 16:11:15] steve at mountainmedia dot com Description: ------------ Private variables are accessible to the print_r function outside of the object. Even if one cannot access the variable directly, one could easily parse the output of print_r to grab private data from an object. Reproduce code: --------------- <? class Example { private $secret = "My secret"; public $notsecret = "Not my secret"; } $ex = new Example; $x = print_r ($ex, true); print $x; ?> Expected result: ---------------- I expected the private members to be invisible or replaced with something to indicate the lack of access such as <Private>. Actual result: -------------- Example Object ( [secret:private] => My secret [notsecret] => Not my secret ) Private variables are displayed and data is stored in the string variable $x which one could easily parse to get the value of secret:private. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=39118&edit=1