Given this example:
class Database
{
private $host,
$database,
$username,
$password,
$type;
public $active_connection;
//Some methods
}
class Page
{
private $db;
public function __construct($id)
{
// Some code
$this->db = new Database($id);
}
//Some Methods
}
$page = new Page(0);
var_dump($page);
This will output the private variables of Database Object, even though they are marked as private (and so, as I understand it, unusable by the outside world).
My questions are:
- Is this a security risk?
- Is there a way to effectively hide those variables marked as private?
thanks in advance
EDIT:
In this project, the admin section will provide the ability to create custom PHP scripts to incorporate in the site, as sections. Since this is being developed to a third party entity, my concern is that, for some reason, the costumer inadvertently dumps the $page object (which is, in our code, the main modifiable object) in order to “explore” it.
var_dump() shows them, because it’s special. You can also dig around in private/protected properties using the Reflection API.
echo $object->_somePrivateVar;
On the other hand, will not expose _somePrivateVar.
1) Is it a security issue? Not at all. If you don’t trust the code you’re executing, you’re pretty much boned.
2) Hide them from what? They’re already hidden according to the data-visibility rules of the class system. But the language is dynamic, and provides some other ways to peek inside. As Leonid just said in his answer, this in an architectural mechanism, not a security feature.