Why are private variables in an object “visible” from the outside world?

Question

Why are private variables in an object “visible” from the outside world?

In this example:

class Database { private $host, $database, $username, $password, $type; public $active_connection; //Some methods } class Page { private $db; public function __construct($id) { // Some code $this->db = new Database($id); } //Some Methods } $page = new Page(0); var_dump($page);

This will lead to the issuance of private variables of the database object, although they are marked as private (and, as I understand it, unsuitable for the outside world).

My questions:

Is this a security risk?
Is there a way to effectively hide these variables marked as private?

early

EDIT: In this project, the admin section will provide the ability to create your own PHP scripts for inclusion in the site as sections. Since this is being developed by a third-party organization, my concern is that for some reason, the customer unintentionally unloads the $ page object (which in our code is the main modifiable object) in order to "examine" it.

+4

object php class

Tivie Oct 24 '11 at 23:13

source share

7 answers

Encapsulation is an architectural mechanism, not a security measure and cannot be used as such.

How exactly would an attacker use this security risk? It is available only from source code, so it can also read the source code for your protected class or any other source code in the project.

In addition, even in C ++, you can access private members by preparing a pointer with the correct offset to the object.

+6

Leonid Shevtsov Oct 24 '11 at 23:24

source share

The new magic method __ debugInfo () was introduced in PHP 5.6 , which will allow you to change the default behavior of var_dump () when dumping your objects.

See the documentation .

Example:

 <?php class C { private $prop; public function __construct($val) { $this->prop = $val; } public function __debugInfo() { return [ 'propSquared' => $this->prop ** 2, ]; } } var_dump(new C(42)); ?>

Return:

 object(C)#1 (1) { ["propSquared"]=> int(1764) }

Although this question is 3 years old, I am sure that someone will find it useful in the future.

+4

Dušan brejka Sep 23 '14 at 9:54

source share

var_dump intended for the developer to track and debug code. From the doc:

In PHP 5, all public, private, and protected properties of objects will be returned to the output file.

+2

Tom Oct 24 '11 at 23:24

source share

This is the documented behavior for var_dump (as well as with print_r and var_export ). This is intended to gain visibility in your working code; for example, when debugging it, you would like to know the meaning of private variables.

You can block the output using the output control functions or use var_export if you need to use the contents of a private variable in another class. This will be an unusual situation: in any case, you are most likely to use a public variable. If you were developing some kind of test suite that was supposed to check the contents of private variables, this would be your answer.

+1

Mike Oct 24 '11 at 23:27

source share

I know this is an old question, but I would like to point out a (sufficiently) effective means of masking a variable;

You can create a function inside the class in which the static variables are located; If you have a variable that you really need to hide from the system itself, save it in a static function variable. While this function is private to the class, it becomes very difficult to look inside. Good. if for some reason your server uploads values to userland and you cannot control it.

But, as TimDev said: if you do not trust the code you are running, this is a sign that you have several security problems. Even if you have a plug-in project with potential cyber-attackers, you simply cannot protect yourself in this environment. It will be up to the administrator who installs these security plugins.

+1

Kver Nov 07 '12 at 20:46

source share

Check out __debugInfo() magic method in the PHP manual on how to hide sensitive data from stacks (added in PHP 5.6.0). Here is an example:

 class PDO_Database { private $db_user = 'my_user'; private $db_password = 'my_password'; /** * The purpose of this method is to hide sensitive data from stack traces. * * @return array */ public function __debugInfo() { $properties = get_object_vars($this); $hidden = [ 'db_user' => '***', 'db_password' => '***', ]; return $hidden + $properties; } }

0

Krzysztof Przygoda Mar 27 '17 at 16:34

source share

timdev · Accepted Answer · 2011-10-24T23:25:55+0000

var_dump () shows them because it is special. You can also delve into private / protected properties using the Reflection API .

echo $ object → _ somePrivateVar;

On the other hand, _somePrivateVar will not be exposed.

1) Is this a security issue? It's my pleasure. If you do not trust the code that you are executing, you are largely deceived.

2) Hide them from what? They are already hidden according to the rules for data visibility in the class system. But the language is dynamic and provides some other ways to look inside. As Leonid said in his answer, this is an architectural mechanism, not a security function.

Why are private variables in an object “visible” from the outside world?

More articles: