...

View Full Version : Starting function from GET



jfreak53
03-11-2010, 03:51 PM
Ok so here's what I want to do. I want to call a function name from the GET statement. Basically the name of the function to be called will be passed to the page in the GET statement, I want in the first couple of lines to grab that get statement and call that function. How in the world do I do that? Do I just call it like a variable?


$_GET['function']

And that calls it or is there something else that has to be done?

Thanks for any help.

Ahri
03-11-2010, 04:14 PM
This is a very bad idea.

You're better off doing something like:


switch ($_GET['function']) {
case 'f1':
f1();
break;
case 'f2':
f2();
break;
default:
printf("Unknown function: '%s'", htmlspecialchars($_GET['function']));
}

If you really must follow on with your extremely bad idea, see: http://php.net/eval

abduraooft
03-11-2010, 04:19 PM
You could use call_user_func (http://php.net/call_user_func) after checking the existence of a function by using http://php.net/function_exists

Ahri
03-11-2010, 04:29 PM
You could use call_user_func (http://php.net/call_user_func) after checking the existence of a function by using http://php.net/function_exists

Yeah, this would work too. It's still a bad idea.

jfreak53
03-11-2010, 04:29 PM
Ahri: Might I ask why this is a bad idea? Just curious so I can learn this.

Ahri
03-11-2010, 04:35 PM
Ahri: Might I ask why this is a bad idea? Just curious so I can learn this.

Certainly; by doing this you're trusting user input. It's a slippery slope that will likely result in your accounts being compromised. Don't trust any user input; sanitize everything.

I accept that you're only letting people execute functions without args, but how long before you expand it to allow that? You're currently talking about letting them run die() or phpinfo(), which seems bad enough, what happens when they run echo(file_get_contents('db_connections.php')) ?

I'm sure other people can think of more elaborate issues with it, but suffice to say that you'll either regret it soon, or it'll end up in your mental toolbox of "neat stuff" and it'll bite you later.

jfreak53
03-11-2010, 05:17 PM
Hmm well in that case I didn't think about it that way. Thanks for the help.

Fou-Lu
03-11-2010, 05:24 PM
The above is a pretty good explaination of the issue. Much like trusting database input or using eval, allowing any function to be executed via a user input is very dangerous. Its a matter of control, thats all. There is no problem with passing a function, but do as Ahri mentioned and tighten restrictions:


$aMyFunctions = array(
'callSomething',
'goSomewhere',
//...
);

if (in_array($_GET['function'], $aMyFunctions))
{
call_user_func($aMyFunctions[$_GET['function']]);
}
else
{
die('Cannot find function for ' . $_GET['function']);
}


For a simple example.
The threat is allowing users to specify whatever functions they want. This allows them access to functions such as fwrite which will seriously compromise you're program and file system.

jfreak53
03-11-2010, 06:41 PM
The above is a pretty good explaination of the issue. Much like trusting database input or using eval, allowing any function to be executed via a user input is very dangerous. Its a matter of control, thats all. There is no problem with passing a function, but do as Ahri mentioned and tighten restrictions:


$aMyFunctions = array(
'callSomething',
'goSomewhere',
//...
);

if (in_array($_GET['function'], $aMyFunctions))
{
call_user_func($aMyFunctions[$_GET['function']]);
}
else
{
die('Cannot find function for ' . $_GET['function']);
}


For a simple example.
The threat is allowing users to specify whatever functions they want. This allows them access to functions such as fwrite which will seriously compromise you're program and file system.

HAHA that is exactly what I did too, word for word on code ha ha :thumbsup:

Well actually the user has no input whatsoever on this function. I have a small file, with a wierd name, that calls a function when an ajax post is sent to the file. It was the only way I could think of to make my functions work with ajax and return. But I did it that way. Basically I have a list of all my functions and if it's not in the list then it don't run. I also have another part of the if that checks if it's in an array of known php commands like include or echo or phpinfo and others. Then it checks also if the GET parameter was set on a special randomly generated code and then confirms that code. If it doesn't match all that, then poof!

Thanks again guys.

Ahri
03-12-2010, 10:35 AM
Well actually the user has no input whatsoever on this function. I have a small file, with a wierd name, that calls a function when an ajax post is sent to the file.

You're a little bit wrong about this; the user has whatever input the AJAX post has. If you're using Firefox go and install the Firebug plugin, then browse your page and see how easy it is (as a user) to modify what's sent to your weirdly named file, which is also easy to see the name of, in Firebug, or in the source of your page -- which let's not forget is downloaded to the user's local computer.

I don't want to labour the point, but you need to understand that half the stuff you think is secret is in fact completely public; any old lazy webdev will find it immediately, and anyone with half a brain and malicious intent will have learnt enough to circumvent what you think are barriers.

The lesson you need to learn is caution; think about what's really private and what's actually quite public, and be very careful what you (or your script) believes from the public stuff.

jfreak53
03-12-2010, 03:43 PM
This is very true, thank you again for the help.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum