Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.
Moderator: General Moderators
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Sat Aug 19, 2006 5:22 pm
that's the same as any other form of injection..
This would be a vulnerability:
Code: Select all
<?php
$reflect = new ReflectionClass ($_GET['var']);
$object = $reflect->newInstance();
?>
that could allow the attacker to instantiate whatever class they please that is available.
The simple rules of input validation apply anywhere you use input. I choose to whitelist anything that is an action, or a page id, etc.
daedalus__
DevNet Resident
Posts: 1925 Joined: Thu Feb 09, 2006 4:52 pm
Post
by daedalus__ » Sat Aug 19, 2006 5:24 pm
That's what I was thinking but everytime I read something they always have to make things sound more complicated than they really are. :-/
daedalus__
DevNet Resident
Posts: 1925 Joined: Thu Feb 09, 2006 4:52 pm
Post
by daedalus__ » Sat Aug 19, 2006 9:11 pm
When I try to use ReflectionClass::newInstanceArgs() it says the function does not exist?
Am I missing something?
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Sat Aug 19, 2006 9:17 pm
possibly, which version of PHP are you using?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sat Aug 19, 2006 9:26 pm
That method was added in 5.1.3.
daedalus__
DevNet Resident
Posts: 1925 Joined: Thu Feb 09, 2006 4:52 pm
Post
by daedalus__ » Sat Aug 19, 2006 9:29 pm
I upgraded to 5.1.5 and used newInstaceArgs() and now my service locator works perfectly. Reflection is something that I didn't know about prior to this thread and it is amazing.
I am curious if anyone has figured a way to use Reflection to do this in versions prior to 5.1.3? I didn't sit with it long enough to figure it out, I just upgraded.