Working with Variables
PHP Manual

Introduction to Variables

A good understanding of how variables are stored and manipulated is essential to becoming a Hacker. The engine attempts to cover up the complexity of the concept of a variable that can be any type by providing a uniform and intuitive set of macros for accessing the structures various fields. As the Hacker works through this chapter, they should become comfortable with the terminology and concepts involved with Variables in PHP.

Nota:

PHP is a dynamic, loosely typed language, that uses copy-on-write and reference counting.

To clarify what exactly is meant by the statement above: PHP is a high level language, weak typing is implicit of the engines preference to convert, or coerce variables into the required type at execution time. Reference counting is the means by which the engine can deduce when a variable no longer has any references in the users code, and so is able to free the structures associated with the variable.

All variables in PHP are represented by one structure, the zval:

typedef struct _zval_struct {
    zvalue_value value;        /* variable value */
    zend_uint refcount__gc;    /* reference counter */
    zend_uchar type;           /* value type */
    zend_uchar is_ref__gc;     /* reference flag */
} zval;

The zval_value is a union which can represent all types a variable may hold:

typedef union _zvalue_value {
    long lval;                 /* long value */
    double dval;               /* double value */
    struct {                   
        char *val;
        int len;               /* this will always be set for strings */
    } str;                     /* string (always has length) */
    HashTable *ht;             /* an array */
    zend_object_value obj;     /* stores an object store handle, and handlers */
} zvalue_value;

It should be clear from the structures above that a variable can be of one type, the variable data is represented by the appropriate field in the zval_value union. The zval itself holds the type, reference count and a flag to indicate if a variable is a reference.

Native Type Constants
Constant Mapping
IS_NULL no value is set in this case
IS_LONG lval
IS_DOUBLE dval
IS_BOOL lval
IS_RESOURCE lval
IS_STRING str
IS_ARRAY ht
IS_OBJECT obj

Nota:

There are additional constants that help to identify internal types such as constant arrays and callable objects, their usage is outside the scope of this part of the documentation.

The following table defines the macros exposed by the engine for working with zval values:

Accessor Macros
Prototype Accesses Description
zend_uchar Z_TYPE(zval zv) type returns the type of the value
long Z_LVAL(zval zv) value.lval  
zend_bool Z_BVAL(zval zv) value.lval cast long value to zend_bool
double Z_DVAL(zval zv) value.dval  
long Z_RESVAL(zval zv) value.lval returns the resource list identifier for value
char* Z_STRVAL(zval zv) value.str.val return the string value
int Z_STRLEN(zval zv) value.str.len return the length of the string value
HashTable* Z_ARRVAL(zval zv) value.ht return the HashTable (array) value
zend_object_value Z_OBJVAL(zval zv) value.obj returns object value
uint Z_OBJ_HANDLE(zval zv) value.obj.handle returns the object handle for object value
zend_object_handlers* Z_OBJ_HT_P(zval zv) value.obj.handlers returns the handler table for object value
zend_class_entry* Z_OBJCE(zval zv) value.obj returns the class entry for object value
HashTable* Z_OBJPROP(zval zv) value.obj returns the properties of object value
HashTable* Z_OBJPROP(zval zv) value.obj returns the properties of object value
HashTable* Z_OBJDEBUG(zval zv) value.obj if an object has the get_debug_info handler set, it is called, else Z_OBJPROP is called

Please check the Introducción al contador de referencias chapter for details how reference counting and references work in detail.

Reference Count Manipulation
Prototype Description
zend_uint Z_REFCOUNT(zval zv) returns the reference count of the value
zend_uint Z_SET_REFCOUNT(zval zv) sets the reference count of the value, returning it
zend_uint Z_ADDREF(zval zv) pre-increments the reference count of value, returning it
zend_uint Z_DELREF(zval zv) pre-decrements the reference count of value, returning it
zend_bool Z_ISREF(zval zv) tells if the zval is a reference
void Z_UNSET_ISREF(zval zv) set is_ref__gc to 0
void Z_SET_ISREF(zval zv) set is_ref__gc to 1
void Z_SET_ISREF_TO(zval zv, zend_uchar to) set is_ref__gc to to

Nota:

The Z_* macros above all take a zval, they are all defined again suffixed with _P to take a pointer to a zval, for example zend_uchar Z_TYPE_P(zval* pzv), and again suffixed with _PP to take a pointer to a pointer to a zval, for example zend_uchar Z_TYPE_PP(zval** ppzv)

Creation, Destruction, Separation and Copying
Prototype Description
ALLOC_ZVAL(zval* pzval) emallocs pzval
ALLOC_INIT_ZVAL(zval* pzval) emallocs pzval, and points pzval at a null typed zval for sanity
MAKE_STD_ZVAL(zval* pzval) emallocs pzval, setting the refcount to 1
ZVAL_COPY_VALUE(zval* dst, zval* src) sets the value and type of dst from the value and type of src
INIT_PZVAL_COPY(zval* dst, zval*dst) performs ZVAL_COPY_VALUE, setting refcount of dst to 1, and setting is_ref__gc to 0
SEPARATE_ZVAL(zval** ppzval) if the refcount of ppzval is >1, redirects *ppzval to a newly emalloc'd, copied, and constructed zval of the same type and value
SEPARATE_ZVAL_IF_NOT_REF(zval** ppzval) if *ppzval is not a reference, will perform SEPARATE_ZVAL on ppzval
SEPARATE_ZVAL_TO_MAKE_IS_REF(zval** ppzval) if *ppzval is not a reference, performs SEPARATE_ZVAL then Z_SET_ISREF_PP on ppzval
COPY_PZVAL_TO_ZVAL(zval dst, zval** src) results in dst being a copy of src without affecting the refcount of src
MAKE_COPY_ZVAL(zval** src, zval* dst) performs INIT_PZVAL_COPY, then zval_copy_ctor on the new zval
void zval_copy_ctor(zval** pzval) performs maintenance of reference counts, used widely throughout the engine
void zval_ptr_dtor(zval* pzval) decrements the refcount for the variable, if no refcounts remain the variable is destroyed
FREE_ZVAL(zval* pzval) efrees pzval

Nota:

Objects and Resources have a reference count as part of their respective structures, when zval_ptr_dtor is called on either, their appropriate del_ref method is executed. See Working with Objects and Working with Resources for more information.

If the Hacker only has room to remember two more functions, they should be zval_copy_ctor and zval_ptr_dtor, these are at the basis of the engines reference counting mechanisms and it is important to note that zval_copy_ctor does not actually result in any copying occuring under normal circumstances, it simply increases the reference count. By the same token, zval_ptr_dtor only really destroys a variable when there are no references remaining to it and the refcount is at 0.

PHP is weakly typed, as such the engine provides API functions for converting variables from one type to another.

Type Conversion
Prototype
void convert_to_long(zval* pzval)
void convert_to_double(zval* pzval)
void convert_to_long_base(zval* pzval, int base)
void convert_to_null(zval* pzval)
void convert_to_boolean(zval* pzval)
void convert_to_array(zval* pzval)
void convert_to_object(zval* pzval)
void convert_object_to_type(zval* pzval, convert_func_t converter)

Nota:

convert_func_t functions should have the prototype (void) (zval* pzval)

By now you should have a good understanding of: the types that are native to the engine, how to detect types and read zval values, how to manipulate refcounts, and other zval flags


Working with Variables
PHP Manual