Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Implications of Instantiating Objects with Dynamic Variables in PHP

What are the performance, security, or "other" implications of using the following form to declare a new class instance in PHP

<?php
  $class_name = 'SomeClassName';
  $object = new $class_name;
?>

This is a contrived example, but I've seen this form used in Factories (OOP) to avoid having a big if/switch statement.

Problems that come immediately to mind are

  1. You lose the ability to pass arguments into a constructor (LIES. Thanks Jeremy)
  2. Smells like eval(), with all the security concerns it brings to the table (but not necessarily the performance concerns?)

What other implications are there, or what search engine terms other than "Rank PHP Hackery" can someone use to research this?

like image 762
Alan Storm Avatar asked Sep 07 '08 01:09

Alan Storm


People also ask

How can we instantiate objects dynamically?

Dynamic initialization of object refers to initializing the objects at a run time i.e., the initial value of an object is provided during run time. It can be achieved by using constructors and by passing parameters to the constructors.

What is dynamic variable PHP?

The dynamic variable is a user-defined php code that must return a string value. To create a new dynamic variable, follow these steps: Go to Catalog → Advanced Product Feeds → Dynamic Variables.

How create object explain with example in PHP?

Following is an example of how to create object using new operator. class Books { // Members of class Books } // Creating three objects of Books $physics = new Books; $maths = new Books; $chemistry = new Books; Member Functions: After creating our objects, we can call member functions related to that object.

What are objects in PHP?

In PHP, Object is a compound data type (along with arrays). Values of more than one types can be stored together in a single variable. Object is an instance of either a built-in or user defined class. In addition to properties, class defines functionality associated with data.


2 Answers

One of the issues with the resolving at run time is that you make it really hard for the opcode caches (like APC). Still, for now, doing something like you describe in your question is a valid way if you need a certain amount of indirection when instanciating stuff.

As long as you don't do something like

$classname = 'SomeClassName';
for ($x = 0; $x < 100000; $x++){
  $object = new $classname;
}

you are probably fine :-)

(my point being: Dynamically looking up a class here and then doesn't hurt. If you do it often, it will).

Also, be sure that $classname can never be set from the outside - you'd want to have some control over what exact class you will be instantiating.

like image 190
pilif Avatar answered Oct 12 '22 11:10

pilif


It looks you can still pass arguments to the constructor, here's my test code:

<?php

class Test {
    function __construct($x) {
        echo $x;
    }
}

$class = 'Test';
$object = new $class('test'); // echoes "test"

?>

That is what you meant, right?

So the only other problem you mentioned and that I can think of is the security of it, but it shouldn't be too difficult to make it secure, and it's obviously a lot more secure than using eval().

like image 28
Paige Ruten Avatar answered Oct 12 '22 12:10

Paige Ruten