You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Visibilities in PHP are not strongly enforced. According to php.net:
Objects of the same type will have access to each others private and protected members even though they are not the same instances. This is because the implementation specific details are already known when inside those objects.
This means that a private method is not actually private when called from another instance of the same object.
This sort of behavior is possible:
class PrivateTests{
privatestring$secret;
privatefunctionprivateMethod(): void {echo$this->secret;}
publicfunction__construct(string$secret){
$this->secret = $secret;
}
publicfunctionproxyByParam(PrivateTests$a): void {
$a->privateMethod(); //This is a call to a private method from outside the instance
}
}
$first_secret_key = newPrivateTests('first_secret_key');
$second_secret_key = newPrivateTests('second_secret_key');
$first_secret_key->proxyByParam($second_secret_key);
This call to $first_secret_key instance will actually call a private method on $second_secret_key and display the value of the private attribute of $second_secret_key
This plugins intends to fill those holes in PHP visibility checks
About
A Psalm plugin to detect calling private or protected method via proxy
