I was working on my application and discovered strange behaviour of methods that called statically but not defined as static that extends same class. Eventually this methods can access and alter caller protected variables and methods. Here is example of my code:
<?php
class object
{
private $version;
protected $alteredBy = 'nobody';
public function __construct()
{
$this->version = PHP_VERSION;
$this->objectName = get_class($this);
echo sprintf("<pre><strong>New %s Created</strong>", $this->objectName);
}
public function __destruct()
{
echo sprintf("</pre><strong>Source Code</strong><div>%s</div>", highlight_file(__FILE__, true));
}
}
class superApplication extends object
{
public function __toString()
{
echo "\nCalling third party object statically like thirdParty::method()\n";
echo thirdParty::method();
echo "\nCalling third party object statically via call_user_func()\n";
echo call_user_func(array('thirdParty','method'));
echo sprintf("New Object params\n%s", print_r($this, true));
return sprintf("%s: done\n", $this->objectName);
}
}
class thirdParty extends object
{
public function method()
{
if(is_object($this))
{
$this->alteredBy = __CLASS__;
return sprintf(
"<span style=\"color:red\">Object '%s' was altered successfully by %s class</span>\n",
get_class($this),
__CLASS__
);
}
else return "Cannot access caller object\n\n";
}
}
print new superApplication;
?>
This behaviour is not documented, so I'm wondering is it bug or feature and could it lead to security issues?
UPDATE. I'm aware that $this is not allowed inside static methods and this behaviour appeared on php version 5.2.11