Reputation:
Call Function From URL
I have a class having functions in PHP.This file is on server...can i call any function from this file from url? i do not want to modify this file...i just know function name..here is function
class mClass {
function execute($q) {
$result = mysql_query($q) or die(mysql_error()."<br />".$q);
}
function getParams($var, $default = '')
{
$tmpvar = $default;
if ( isset($_REQUEST[$var]) ) $tmpvar = $_REQUEST[$var];
return $tmpvar;
}
}
can i do like this?
mydomain.com/myfile.php?execute('my query here')
?
Upvotes: 0
Views: 2909
Answers (2)
Reputation: 4075
In the interest of preventing anyone else from ever conceiving doing something like this I feel obliged to answer with "Don't do this!!!!!"
This is a horrendous security hole and a disaster waiting to happen. You might as well just hand over control of your server. Aside from which it gives detailed insight into how your system is designed (again providing unnecessary information to hackers). Furthermore, you have no guarantees as to when, how, in what order, with what arguments, under what circumstances the functions might be called, what will be the contents of the cookie variable used by function xxx. You are abdicating control of your system in a frightening manner.
Now let's look at your specific example. If I ever see a website that has ?execute(...) it's going to raise a red flag. Me, the hacker, thinks to myself, "surely not, nobody would possibly do something like that!" so I google that part of the URL and sure enough this stack overflow question comes up and I see that you are dumping the argument into a MYSQL Query. "Good lord, I don't even need to SQL-inject!"
So, being an evil person, I decide to drop this query in:
.php?execute('SELECT * FROM `information_schema`.`tables`')
Now I see the structure of your database, and look, there's a table called user_account_info! I wonder how I can use this information to extort you for millions of dollars...
I could try
.php?execute('SELECT * FROM user_account_information')
Or maybe
.php?execute('SELECT credit_card FROM user_account_information')
But really why stop there, I can really turn the screws with
UPDATE user_account_information SET vital_customer_information =
ENCRYPT(vital_customer_information, my_key_which_you_will_never_crack);
Now, you want your vital customer information back? How about you deposit some money in my Cayman Islands bank account and then I'll think about it....
Even ignoring the security implications this is poor design. The whole point of encapsulation, information hiding, etc. is blown by having a user transparently calling functions in your code.
Upvotes: 5
Reputation: 781058
Everyone else is pointing out that you really shouldn't do this, and I agree. But if someone is putting a gun to your head, the way you would do it is with a URL like:
mydomain.com/myfile.php?sql=my%20query%20here
Then in PHP you would use $_GET['sql'] to get the query.
BTW, to all the people who warn about Bobby Tables -- haven't you heard of limiting GRANT permissions? When we run applications that only need to read, they use an account with only SELECT permission, not UPDATE or DELETE. A script like this one should definitely use an account with very limited permissions.
Upvotes: 2
Related Questions
- Call PHP function from url?
- Access wordpress function by url parameter
- Call function and pass parameter over url PHP
- Pass parameter to function using URL
- Catch parameter from URL, pass parameter to a function, execute that function
- PHP - I need to call 2 php functions via url parameter - but how?
- how to call function in php outside from mysite
- call this function with url parameter
- Call a php function (not on a file) from a href
- How to call PHP function?