Implications of Instantiating Objects with Dynamic Variables in PHP

Question

What are the performance, security, or "other" implications of using the following form to declare a new class instance in PHP

<?php
    $class_name = 'SomeClassName';
    $object = new $class_name;
?>

This is a contrived example, but I've seen this form used in Factories (OOP) to avoid having a big if/switch statement.

Problems that come immediately to mind are

1. You lose the ability to pass arguments into a constructor (LIES. Thanks Jeremy)
2. Smells like eval(), with all the security concerns it brings to the table (but not necessarily the performance concerns?)

What other implications are there, or what search engine terms other than "Rank PHP Hackery" can someone use to research this?

Answer 1

It looks you can still pass arguments to the constructor, here's my test code:

<?php

class Test {
    function __construct($x) {
     echo $x;
    }
}

$class = 'Test';
$object = new $class('test'); // echoes "test"

?>

That is what you meant, right?

So the only other problem you mentioned and that I can think of is the security of it, but it shouldn't be too difficult to make it secure, and it's obviously a lot more secure than using eval().

Answer 2

Thanks Jeremy, it seems obvious there's also some additional performance overhead going on, but the internals of PHP are beyond me.

Answer 3

I'm just guessing here, but it probably breaks IDE code completion.

Have you benchmarked for a performance difference?

Answer 4

There may indeed be a performance hit for having to resolve the name of the variable before looking up the class definition. But, without declaring classes dynamically you have no real way to do "dyanmic" or "meta" programming. You would not be able to write code generation programs or anything like a domain-specific language construct.

We use this convention all over the place in some of the core classes of our internal framework to make the URL to controller mappings work. I have also seen it in many commercial open source applications (I'll try and dig for an example and post it). Anyway, the point of my answer is that it seems well worth what is probably a slight performance decrease if it makes more flexible, dynamic code.

The other trade-off that I should mention, though, is that performance aside, it does make the code slightly less obvious and readable unless you are very careful with your variable names. Most code is written once, and re-read and modified many times, so readability is important.

Answer 5

@Sam: I can't deny its usefulness, but it seems like something that could have significant performance repercussions down the line. If you're using a variable to declare a class that means everything is happening at run-time, which I assume means you'll see less of a performance increase from using byte-code compilers.

@Gary: If I'd benchmarked it, I wouldn't be asking. :) Unless you're well versed in the Computer Science behind PHP (which I'm not) you're not going to be able come up with meaningful benchmarks. Put another way, I know enough to know I don't know enough to reasonably answer this question.

Answer 6

One of the issues with the resolving at run time is that you make it really hard for the opcode caches (like APC). Still, for now, doing something like you describe in your question is a valid way if you need a certain amount of indirection when instanciating stuff.

As long as you don't do something like

$classname = 'SomeClassName';
for ($x = 0; $x < 100000; $x++){
  $object = new $classname;
}

you are probably fine :-)

(my point being: Dynamically looking up a class here and then doesn't hurt. If you do it often, it will).

Also, be sure that $classname can never be set from the outside - you'd want to have some control over what exact class you will be instantiating.

Answer 7

I use dynamic instantiation in my custom framework. My application controller needs to instantiate a sub-controller based on the request, and it would be simply ridiculous to use a gigantic, ever-changing switch statement to manage the loading of those controllers. As a result, I can add controller after controller to my application without having to modify the app controller to call them. As long as my URIs adhere to the conventions of my framework, the app controller can use them without having to know anything until runtime.

I'm using this framework in a production shopping cart application right now, and the performance is quite favorable, too. That being said, I'm only using the dynamic class selection in one or two spots in the whole app. I wonder in what circumstances you would need to use it frequently, and whether or not those situations are ones that are suffering from a programmer's desire to over-abstract the application (I've been guilty of this before).

Answer 8

Alan, there's nothing wrong with dynamic class initialisation. This technique is present also in Java language, where one can convert string to class using Class.forClass('classname') method. It is also quite handy to defer algorithm complexity to several classes instead of having list of if-conditions. Dynamic class names are especially well suited in situations where you want your code to remain open for extension without the need for modifications.

I myself often use different classes in conjunction with database tables. In one column I keep class name that will be used to handle the record. This gives me great power of adding new types of records and handle them in unique way without changing a single byte in existing code.

You shouldn't be concerned about the performance. It has almost no overhead and objects themselves are super fast in PHP. If you need to spawn thousands of identical objects, use Flyweight design pattern to reduce memory footprint. Especially, you should not sacrifice your time as a developer just to save milliseconds on server. Also op-code optimisers work seamlessly with this technique. Scripts compiled with Zend Optimizer did not misbehave.

Answer 9

I would add that you can also instanciate it with a dynamic number of parameters using :

<?php

$class = "Test";
$args = array('a', 'b');
$ref = new ReflectionClass($class);
$instance = $ref->newInstanceArgs($args);

?>

But of course you add some more overhead by doing this.

About the security issue I don't think it matters much, at least it's nothing compared to eval(). In the worst case the wrong class gets instanciated, of course this is a potential security breach but much harder to exploit, and it's easy to filter using an array of allowed classes, if you really need user input to define the class name.

Answer 10

One problem is that you can't address static members like that, for instance

<?php
$className = 'ClassName';

$className::someStaticMethod(); //doesn't work
?>

Answer 11

@coldFlame As far as I know that will work starting from PHP5.3

Answer 12

@coldFlame: IIRC you can use call_user_func(array($className, 'someStaticMethod') and call_user_func_array() to pass params

Answer 13

class Test {
    function testExt() {
    print 'hello from testExt :P';
    }
    function test2Ext()
    {
    print 'hi from test2Ext :)';
    }
}


$class = 'Test';
$method_1 = "testExt";
$method_2 = "test2Ext";
$object = new $class(); // echoes "test"
$object->{$method_2}(); // will print 'hi from test2Ext :)'
$object->{$method_1}(); // will print 'hello from testExt :P';

this trick works in both php4 and php5 :D enjoy..