Following from the problem of eval() in Service Locator..

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

that's the same as any other form of injection..

This would be a vulnerability:

Code: Select all

<?php

$reflect = new ReflectionClass ($_GET['var']);
$object = $reflect->newInstance();

?>
that could allow the attacker to instantiate whatever class they please that is available.

The simple rules of input validation apply anywhere you use input. I choose to whitelist anything that is an action, or a page id, etc.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

That's what I was thinking but everytime I read something they always have to make things sound more complicated than they really are. :-/
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

When I try to use ReflectionClass::newInstanceArgs() it says the function does not exist?

Am I missing something?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

possibly, which version of PHP are you using?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That method was added in 5.1.3.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I upgraded to 5.1.5 and used newInstaceArgs() and now my service locator works perfectly. Reflection is something that I didn't know about prior to this thread and it is amazing.

I am curious if anyone has figured a way to use Reflection to do this in versions prior to 5.1.3? I didn't sit with it long enough to figure it out, I just upgraded. :D
Post Reply