Reputation: 5917
Dynamically Calling PHP Class Methods
Is there any security problem with dynamically calling a method in a class from user input. For example:
<?php
class A {
public function foo() {
return true;
}
}
$obj = new A();
$method = $_GET['method'];
$obj->$method();
I am aware that the user will be able to call any method within A, and I am fine with that. I am just curious if there may be other possible security issues.
Upvotes: 2
Views: 165
Answers (2)
Reputation: 1492
Yes its probably a bad idea, maybe you should restrict allowed methods. Maybe define allowed methods in an array then throw an exception if $method is not in this whitelist.
Also you will need to use the magic __call($name, $args) method to allow these user defined methods to be called.
Upvotes: 1
Reputation: 401002
Your user will be able to try calling any possible method from your class -- even try to call non-existant methods (and get a Fatal Error).
If you're fine with this... well, I suppose this is OK.
It doesn't look nice, but I don't think one could inject any other kind of code.
Still, I would at least check if the method exists -- using [**`method_exists()`**][1]
Upvotes: 4
Related Questions
- Dynamic class method invocation in PHP
- Can I/How to... call a protected function outside of a class in PHP
- How to call a protected method in php?
- Dynamically calling a method in a class
- Call a protected method from outside a class in PHP
- Usage of _call for protected methods in PHP
- Create methods in a php class dynamically, so to have access to $this
- PHP call method from class dynamically
- Make a function of a class only visible in certain places in php
- Class methods access control in PHP