Page 2 of 2

Posted: Sat Aug 19, 2006 5:22 pm
by Jenk
that's the same as any other form of injection..

This would be a vulnerability:

Code: Select all

<?php

$reflect = new ReflectionClass ($_GET['var']);
$object = $reflect->newInstance();

?>
that could allow the attacker to instantiate whatever class they please that is available.

The simple rules of input validation apply anywhere you use input. I choose to whitelist anything that is an action, or a page id, etc.

Posted: Sat Aug 19, 2006 5:24 pm
by daedalus__
That's what I was thinking but everytime I read something they always have to make things sound more complicated than they really are. :-/

Posted: Sat Aug 19, 2006 9:11 pm
by daedalus__
When I try to use ReflectionClass::newInstanceArgs() it says the function does not exist?

Am I missing something?

Posted: Sat Aug 19, 2006 9:17 pm
by Jenk
possibly, which version of PHP are you using?

Posted: Sat Aug 19, 2006 9:26 pm
by feyd
That method was added in 5.1.3.

Posted: Sat Aug 19, 2006 9:29 pm
by daedalus__
I upgraded to 5.1.5 and used newInstaceArgs() and now my service locator works perfectly. Reflection is something that I didn't know about prior to this thread and it is amazing.

I am curious if anyone has figured a way to use Reflection to do this in versions prior to 5.1.3? I didn't sit with it long enough to figure it out, I just upgraded. :D