静态方法可以访问调用者对象、错误或功能吗?
我正在开发我的应用程序,发现静态调用但未定义为扩展同一类的静态方法的奇怪行为。最终,该方法可以访问和更改调用者受保护的变量和方法。 这是我的代码示例:
<?php
class object
{
private $version;
protected $alteredBy = 'nobody';
public function __construct()
{
$this->version = PHP_VERSION;
$this->objectName = get_class($this);
echo sprintf("<pre><strong>New %s Created</strong>", $this->objectName);
}
public function __destruct()
{
echo sprintf("</pre><strong>Source Code</strong><div>%s</div>", highlight_file(__FILE__, true));
}
}
class superApplication extends object
{
public function __toString()
{
echo "\nCalling third party object statically like thirdParty::method()\n";
echo thirdParty::method();
echo "\nCalling third party object statically via call_user_func()\n";
echo call_user_func(array('thirdParty','method'));
echo sprintf("New Object params\n%s", print_r($this, true));
return sprintf("%s: done\n", $this->objectName);
}
}
class thirdParty extends object
{
public function method()
{
if(is_object($this))
{
$this->alteredBy = __CLASS__;
return sprintf(
"<span style=\"color:red\">Object '%s' was altered successfully by %s class</span>\n",
get_class($this),
__CLASS__
);
}
else return "Cannot access caller object\n\n";
}
}
print new superApplication;
?>
此行为没有记录,所以我想知道它是错误还是功能,是否会导致安全问题?
更新。 我知道静态方法中不允许使用 $this 并且此行为出现在 php 版本 5.2.11 上
I was working on my application and discovered strange behaviour of methods that called statically but not defined as static that extends same class. Eventually this methods can access and alter caller protected variables and methods.
Here is example of my code:
<?php
class object
{
private $version;
protected $alteredBy = 'nobody';
public function __construct()
{
$this->version = PHP_VERSION;
$this->objectName = get_class($this);
echo sprintf("<pre><strong>New %s Created</strong>", $this->objectName);
}
public function __destruct()
{
echo sprintf("</pre><strong>Source Code</strong><div>%s</div>", highlight_file(__FILE__, true));
}
}
class superApplication extends object
{
public function __toString()
{
echo "\nCalling third party object statically like thirdParty::method()\n";
echo thirdParty::method();
echo "\nCalling third party object statically via call_user_func()\n";
echo call_user_func(array('thirdParty','method'));
echo sprintf("New Object params\n%s", print_r($this, true));
return sprintf("%s: done\n", $this->objectName);
}
}
class thirdParty extends object
{
public function method()
{
if(is_object($this))
{
$this->alteredBy = __CLASS__;
return sprintf(
"<span style=\"color:red\">Object '%s' was altered successfully by %s class</span>\n",
get_class($this),
__CLASS__
);
}
else return "Cannot access caller object\n\n";
}
}
print new superApplication;
?>
This behaviour is not documented, so I'm wondering is it bug or feature and could it lead to security issues?
UPDATE.
I'm aware that $this is not allowed inside static methods and this behaviour appeared on php version 5.2.11
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
考虑 PHP 5.3 中的这个例子:
输出是:
发生的情况是
C::test()的$this指针被假定为$this来自new B()实例。因此它的作用就像 B 的成员函数,但具有 C 的访问权限。它只能访问
A中的受保护变量和公共变量以及B中的公共变量。请注意,在调用
C::test()之前,$this->a触发了一个通知。调用后,它不再这样做,因为变量是在调用中创建的。但A的私有变量在任何时候都不可访问。所以是的,严格来说,这在 PHP 5.3 中被认为是无效的。即使早期版本允许您在没有警告的情况下执行此操作(我没有检查或研究),您也不应该依赖这种行为,因为这显然是对 OOP 的滥用。
Consider this example in PHP 5.3:
The output is:
What happens is that
C::test()'s$thispointer is assumed to be the$thisfrom thenew B()instance. So it is acting like a member function of B, but with C's access.It can only access the protected and public variables from
Aand the public variables fromB.Note that before the call to
C::test(),$this->atriggered a notice. After the call, it no longer did, because the variable was created within the call. But at no point wereA's private variables accessible.So yes, this is strictly speaking, considered to be invalid in PHP 5.3. And even if earlier versions let you do this without warning (I didn't check or research that), you should never rely on that behavior as it is obviously an abuse of OOP.