Variable Variables in PHP and Security Risk

PHP Variables with Security Considerations - Part 2

Foreword: In this part of the series, I talk about variable variables in PHP. At the end of the tutorial, I talk about the related security risk and solution.

By: Chrysanthus Date Published: 17 Oct 2018

Introduction

This is part 2 of my series, PHP Variables with Security Considerations. In this part of the series, I talk about variable variables in PHP. At the end of the tutorial, I talk about the related security risk and solution. A variable holds an entity. PHP allows a program (script) to create variables (dynamically). You should have read the previous part of the series before coming here, as this is the continuation.

In PHP the author of the program can create a variable as follows:

 $age = 'thirty';

In this statement the string, 'thirty' is the value of the variable, $age. The word, 'thirty' of the string can be made a variable, which will now have its own value. You code this as follows:

 $$age = 'for John';

So, you precede the variable, whose value is 'thirty' with $. $$age and $thirty now mean the same thing. $thirty or $$age now hold the same value, while $age still holds the value (string), 'thirty'. Try the following code:

<?php

 $age = 'thirty';
 $$age = 'for John';

 echo $age, ' ';
 echo $$age, ' ';
 echo $thirty;

?>

The output is:

 thirty
 for John
 for John

So, from the word, thirty of the string value, we have got, a variable, $thirty, whose value is the string, 'for John'.

You do not only have to precede $age with $ in order to make $thirty a variable. You can also do this:

 ${$age} = 'for John';

Try the following code:

<?php

 $age = 'thirty';
 ${$age} = 'for John';

 echo $age, ' ';
 echo ${$age}, ' ';
 echo $$age, ' ';
 echo $thirty;

?>

The output is:

 thirty
 for John
 for John
 for John

So, PHP can convert the string value of a variable to another variable with its own value.

Used in Double Quoted String
Remember that a variable in a double quoted string expands (is replaced by its value). The variable variable also expands. Try the following code:

<?php

 $age = 'thirty';
 $$age = 'for John';

 echo "This money is $thirty.";

?>

The output is:

 This money is for John.

Use for the Array
It can be used for the array in two ways. Try the following code:

<?php

 $arr = array('age' => 'thirty');

 $$arr['age'] = 'for John';

 echo $arr['age'], ' ';
 echo $$arr['age'], ' ';
 echo $thirty;

?>

The output is:

 thirty
 for John
 for John

The other way makes but the key instead of the value, the new variable, as follows:

<?php

 $ages = array('thirty' => 'for John', 'twenty' => 'for Mary');

 $$ages['thirty'] = 'thirty';

 echo $ages['thirty'], ' ';
 echo ' ';
 echo $$ages['thirty'], ' ';
 echo $$ages[thirty], ' ';
 echo ' ';
 echo $ages[$$ages[thirty]];

?>

The output is:

 for John

 thirty
 thirty

 for John

Use in OOP
In the following code, the value of a property is made a variable:

<?php

 class Calculator
 {
 public $num;

 }

 $myObject = new Calculator();
 $myObject->num = 'no';

 ${$myObject->num} = 3;

 echo $myObject->num, ' ';
 echo ${$myObject->num}, ' ';
 echo $no;

?>

Note the use of the curly brackets. The output is:

 no
 3
 3

The $this Special Variable
$this is a reserved variable, meaning that you do not use it arbitrarily. Do not use $this in the variable variables scheme. If you try it, you may have no result.

Security Risk
The variable variables scheme allows a program to change the variable of a value (see details later); normal programming allows the change of the value of a variable. Attackers (hackers) like to take advantage of such a feature.

Solution: Do not code (use) the variable variables scheme in your programming.

That is it for this part of the series. We stop here and continue in the next part.

Chrys

Cousins

BACK NEXT

Broad Network

Series Articles

Variable Variables in PHP and Security Risk

PHP Variables with Security Considerations - Part 2

Introduction

Related Links

Cousins

Comments