04-11-2012, 12:10 AM
I am developing a system that at one point will have a variable number
of items with anchor tag href attribute query strings
<a href="?item=(item value written by php script">Item</a>
ditto with different item value
So the server sees $_GET['item'];
In order to detect a bad query string
(user or network sniffer tampers with the string)
I need to have case labels in a switch block to detect bad values that change
with the potential list length of items.
Is this possible without a lot of code gymnastics with eval() or.....???
It would be asking for trouble using eval() in this situation.
04-11-2012, 12:33 AM
As far as I know, there is no way to create dynamic case's for a switch. You CAN however use a function as a case - that function could for instance pull a load of bad words from a database table, check them and return true if your term is found. It then either executes that block or moves onto the next or default. Of course that being the case you could simply just use that function by itself.
If you're looking to have individual bits of code for different terms then (despite what you hear about eval) you could store each term in the database with some php in another column. When matched, you then eval that piece of php.
04-11-2012, 12:33 AM
Afraid not. There isn't any real dynamic way to write a switch itself; cases do not allow complicated data unless its been dereferenced to a specific level (like $a).
Why not just use in_array checks? You can add whatever you want to the in_array. A simple multi-dimensional array will let you contain a condition check, and a function to call.
$aVerify = array(
array('func' => 'doAnimal', 'options' => array('cat', 'dog', 'mouse')),
$sSelected = 'mouse';
foreach ($aVerify AS $options)
if (in_array($sSelected, $options['options']))
$func = $options['func']; // I don't *think* you can deref a function from an array directly. . .
Or something along that lines. Objects can be of great benefit here too, and could be constructed as a callable type as well.
04-11-2012, 04:04 AM
The specific project calls for loading a variable list of image files into
image tags surrounded with anchor tags.
What I have done is created an index file in php that declares an array
// index file named imageIndexFile.php
$_imgLst = array();
$_imgLst['anchor href query string value'] = 'image file';
Then in the processing script/html page,
; // proceed with markup generation code
$_outPut = 'bad query string';
// my variable naming is my way of rapidly finding variable references
The image index file is rewritten every time the user requests this
MY ONLY problem with this is the potential for devious user
sending php code in $_GET request and having it executed in
Is this a potential problem?
04-11-2012, 07:02 AM
Potentially. How is imageIndexFile.php created? If it allows any type of user input in it, then potential exists for a parsable issue yes. If its simply a matter of say glob on a directory, then no there wouldn't be a problem with that.
Now, when you specify rewritten, do you mean the actual code, or just the output data? The code really shouldn't be changing in here; if the data is dynamic, you should consider using a db or even a flat file above html root.
04-12-2012, 04:12 AM
imageIndexFile.php is created by opening and reading a directory with a list of images. There is no user input here.
I am working on a CMS system for a web site that displays product images.
The only user interaction is to place images to be prepared and placed on display in the web site.
'rewritten' means that the imageIndexFile.php is rewritten (image directory is re read and the contents are re written to this file)
on every request.
I do it this way because each time an image in this directory is prepared,
it is removed from the directory and placed in another directory. So the image list changes.
When the user views an image and assigns it, then goes back to
the display list, it will not appear because it has been removed.
(the user does not have to wonder if it has been seen and processed).
Also, new images can be inserted in the directory.
So, the index file is rewritten on every request for its content.
The $_GET['item'] come from query string appended to href
attribute in web page, a hacker might attempt to tamper by altering the string.
(Copies page source and alters query strings, then sends altered request)
04-12-2012, 05:36 AM
I don't see a need to have the code rewritten. Directories can be scanned for their contents, served as necessary, and files can be moved / copied from one location to another. Perhaps I just misunderstand what you are actually doing here, but there isn't a need to rewrite the PHP source at all.