ansaurus

Question

Answer 1

A:

I don't think so. Being able to invoke an arbitrary method would be a massive security hole.

Joe 2010-01-06 22:50:49

sure but first i would call before doing anything if(!$this->user->isadmin()) return false;

streetparade 2010-01-06 22:58:01

That's not necessarily the point. Assuming your system isn't secure (no system is 100% secure) and someone managed to spoof the admin credentials, they could potentially perform any operation. If you do your own dispatch you can at least limit this.

Joe 2010-01-06 23:25:07

Answer 2

+2 A:

It's not recommended that you use $_REQUEST as it poses security concerns. You should be using one of $_GET, $_POST, or $_COOKIE depending on what global request var you are trying to retrieve. Your best bet would be to have something like the following:

class input {

    public static function get($key, $value = false) {
        return (!empty($_GET[$key])) ? $_GET[$key] : $value;
    }

    public static function post($key, $value = false) {
        return (!empty($_POST[$key])) ? $_POST[$key] : $value;
    }

    public static function cookie($key, $value = false) {
        return (!empty($_COOKIE[$key])) ? $_COOKIE[$key] : $value;
    }

}

You could then use the class like:

if (input::post('field', null) != null) {

}

or

if (input::get('field', false) != false) {

}

Although this still requires testing, you can explicitly set the return values in the event no data was set for the global variable.

cballou 2010-01-06 22:56:41

Don't forget to implement a `get_magic_quotes_gpc()` workaround.

Alix Axel 2010-01-07 11:08:29

Very true, thought about mentioning it... I'm just so used to having it turned off myself.

cballou 2010-01-07 13:59:41

Answer 3

+1 A:

PHP doesn't really have a default class structure that you can utilize in that kind of manner, as it's origins are in procedural-based programming.

It would be fairly trivial for you to create a class like that if you felt the need for it. However, you would really just be adding overhead. If the convenience of it is worth it for you, then you could utilize the __get() and __set() methods to handle existence checks for you.

The fact that you want to use this for handling client requests in an easier fashion is probably a good indicator that you should move to something like an MVC framework, which usually handle URLs and route them to appropriate methods for you automatically. Most PHP frameworks will do this for you already. For a nice overview on how the process commonly works, you could see how CodeIgniter does it.

zombat 2010-01-06 22:56:54

thank you, you motivated me to use from now and the most time just the framewort codelgniter, have a nice evening

streetparade 2010-01-06 23:21:13

Answer 4

A:

Do something like:

url: /foo/bar?req=getMembers&memberid=22

Then you can do:

$request = $_GET['req'];
$request();

Slightly less dangerous version:

$req_methods = array(
    getMembers => 'some_function',
    saveMembers => 'another_function',
    sendMessage => 'send_him_an_email'
);
$request = $_GET['req'];
$req_methods[$request]();

slebetman 2010-01-06 22:57:13

That seems just a little risky. E.g., what if someone requests something like /foo/bar?req=apache_child_terminate or some other dangerous function?

Frank Farmer 2010-01-06 23:06:47

added slightly less dangerous version.

slebetman 2010-01-06 23:11:01

i would still suggest wrapping the latter with `isset($req_methods[$request])`

cballou 2010-01-06 23:17:20

Answer 5

+1 A:

Aside from the obvious security risks involved in this, it is feasible. It's a common pattern to use for steering requests in an MVC system.

Say you request index.php?class=User&method=ViewProfile

$module = new $_GET['class']();
if(!method_exists($module,$_GET['method']))
$module->$eventName();

infamouse 2010-01-06 23:00:58

ansaurus

tags:

views:

answers:

How to handle REQUEST in PHP

related questions