Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts

    Starting function from GET

    Ok so here's what I want to do. I want to call a function name from the GET statement. Basically the name of the function to be called will be passed to the page in the GET statement, I want in the first couple of lines to grab that get statement and call that function. How in the world do I do that? Do I just call it like a variable?

    $_GET['function']
    And that calls it or is there something else that has to be done?

    Thanks for any help.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #2
    New Coder
    Join Date
    May 2007
    Location
    Manchester, UK
    Posts
    72
    Thanks
    0
    Thanked 2 Times in 2 Posts
    This is a very bad idea.

    You're better off doing something like:

    PHP Code:
    switch ($_GET['function']) {
       case 
    'f1':
          
    f1();
          break;
       case 
    'f2':
          
    f2();
          break;
       default:
          
    printf("Unknown function: '%s'"htmlspecialchars($_GET['function']));

    If you really must follow on with your extremely bad idea, see: http://php.net/eval
    Every PHP programmer of any skill level should set error_reporting(E_ALL); at the top of their scripts or in their php.ini

  • #3
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,862
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    You could use call_user_func after checking the existence of a function by using http://php.net/function_exists
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #4
    New Coder
    Join Date
    May 2007
    Location
    Manchester, UK
    Posts
    72
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by abduraooft View Post
    You could use call_user_func after checking the existence of a function by using http://php.net/function_exists
    Yeah, this would work too. It's still a bad idea.
    Every PHP programmer of any skill level should set error_reporting(E_ALL); at the top of their scripts or in their php.ini

  • #5
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Ahri: Might I ask why this is a bad idea? Just curious so I can learn this.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #6
    New Coder
    Join Date
    May 2007
    Location
    Manchester, UK
    Posts
    72
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by jfreak53 View Post
    Ahri: Might I ask why this is a bad idea? Just curious so I can learn this.
    Certainly; by doing this you're trusting user input. It's a slippery slope that will likely result in your accounts being compromised. Don't trust any user input; sanitize everything.

    I accept that you're only letting people execute functions without args, but how long before you expand it to allow that? You're currently talking about letting them run die() or phpinfo(), which seems bad enough, what happens when they run echo(file_get_contents('db_connections.php')) ?

    I'm sure other people can think of more elaborate issues with it, but suffice to say that you'll either regret it soon, or it'll end up in your mental toolbox of "neat stuff" and it'll bite you later.
    Every PHP programmer of any skill level should set error_reporting(E_ALL); at the top of their scripts or in their php.ini

  • #7
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Hmm well in that case I didn't think about it that way. Thanks for the help.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    The above is a pretty good explaination of the issue. Much like trusting database input or using eval, allowing any function to be executed via a user input is very dangerous. Its a matter of control, thats all. There is no problem with passing a function, but do as Ahri mentioned and tighten restrictions:
    PHP Code:
    $aMyFunctions = array(
       
    'callSomething',
       
    'goSomewhere',
       
    //...
    );

    if (
    in_array($_GET['function'], $aMyFunctions))
    {
        
    call_user_func($aMyFunctions[$_GET['function']]);
    }
    else
    {
        die(
    'Cannot find function for ' $_GET['function']);

    For a simple example.
    The threat is allowing users to specify whatever functions they want. This allows them access to functions such as fwrite which will seriously compromise you're program and file system.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    jfreak53 (03-12-2010)

  • #9
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by Fou-Lu View Post
    The above is a pretty good explaination of the issue. Much like trusting database input or using eval, allowing any function to be executed via a user input is very dangerous. Its a matter of control, thats all. There is no problem with passing a function, but do as Ahri mentioned and tighten restrictions:
    PHP Code:
    $aMyFunctions = array(
       
    'callSomething',
       
    'goSomewhere',
       
    //...
    );

    if (
    in_array($_GET['function'], $aMyFunctions))
    {
        
    call_user_func($aMyFunctions[$_GET['function']]);
    }
    else
    {
        die(
    'Cannot find function for ' $_GET['function']);

    For a simple example.
    The threat is allowing users to specify whatever functions they want. This allows them access to functions such as fwrite which will seriously compromise you're program and file system.
    HAHA that is exactly what I did too, word for word on code ha ha

    Well actually the user has no input whatsoever on this function. I have a small file, with a wierd name, that calls a function when an ajax post is sent to the file. It was the only way I could think of to make my functions work with ajax and return. But I did it that way. Basically I have a list of all my functions and if it's not in the list then it don't run. I also have another part of the if that checks if it's in an array of known php commands like include or echo or phpinfo and others. Then it checks also if the GET parameter was set on a special randomly generated code and then confirms that code. If it doesn't match all that, then poof!

    Thanks again guys.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming

  • #10
    New Coder
    Join Date
    May 2007
    Location
    Manchester, UK
    Posts
    72
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by jfreak53 View Post
    Well actually the user has no input whatsoever on this function. I have a small file, with a wierd name, that calls a function when an ajax post is sent to the file.
    You're a little bit wrong about this; the user has whatever input the AJAX post has. If you're using Firefox go and install the Firebug plugin, then browse your page and see how easy it is (as a user) to modify what's sent to your weirdly named file, which is also easy to see the name of, in Firebug, or in the source of your page -- which let's not forget is downloaded to the user's local computer.

    I don't want to labour the point, but you need to understand that half the stuff you think is secret is in fact completely public; any old lazy webdev will find it immediately, and anyone with half a brain and malicious intent will have learnt enough to circumvent what you think are barriers.

    The lesson you need to learn is caution; think about what's really private and what's actually quite public, and be very careful what you (or your script) believes from the public stuff.
    Every PHP programmer of any skill level should set error_reporting(E_ALL); at the top of their scripts or in their php.ini

  • Users who have thanked Ahri for this post:

    jfreak53 (03-12-2010)

  • #11
    Regular Coder jfreak53's Avatar
    Join Date
    May 2004
    Location
    Guatemala
    Posts
    477
    Thanks
    19
    Thanked 10 Times in 10 Posts
    This is very true, thank you again for the help.
    "FORTRAN is not a language. It's a way of turning a multi-million dollar mainframe, into a $50 programmable scientific calculator."
    http://www.microfastcat.com -- FastCat Software, the fastest software on the NET!
    http://www.microthosting.com -- Free reseller web hosting, Hosting, VPS, FREE SMALL HOSTING!!!
    http://www.microtronix-tech.com -- Web design and programming


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •