2

I've been reading a project (not based on any PHP framework) and I met the following (procedural) code on nearly every PHP file that responds to user requests (either $_GET or $_POST).

if ($_REQUEST['a']){
    $func="a_".$_REQUEST['a'];
    if (function_exists($func)){
        $func();
    }else{
        // redirect
    }
}else{
    // redirect
}
...
a_action_a() { ... }
a_action_b() { ... }

I'm interested in knowing if it is secure enough (or even better what are the threats) as a mechanism for function calling. Can this code lead to control-flow or function enumeration?

Is there a proper way or suggested mechanisms for function calling in procedural PHP?

antiauthor
  • 80
  • 6
  • 2
    Using this safely requires a funciton name whitelist. However, the prefix `a_` amounts to almost the same here. (At least [no php core function](http://www.php.net/manual/en/indexes.functions.php) with such a name.) – mario Apr 11 '13 at 09:26

1 Answers1

-1

Is there a proper way or suggested mechanisms for function calling in procedural PHP?

the proper way is to use a router script that will decide , depending on a route , what code to execute , like in Silex.

$app->get("/index",function(){
  return "this is the index";
});

and have the proper .htaccess file at the webroot

FallbackResource /index.php

it may be a matter of opinion , but there is 0 real use case where you would need to expose the innerworkings of your app to the client directly , even with prefixing all your functions.

mpm
  • 20,148
  • 7
  • 50
  • 55
  • when i see these kind of things , it makes me want to scream sorry. And that's the difference between a ruby/rails/sinatra python/django/flask web dev and a the flock of php web devs : rubyists and pythonists are ***forced*** into good practices because they are the easiest way. The nature of PHP makes bad practices always the easiest way. And i'm not even talking about all these 10 y.o tutorials out there that promote everything a php dev should not do ... – mpm Apr 11 '13 at 09:44
  • downvote me all you want i stand by my position. this is a matter of education. – mpm Apr 11 '13 at 09:52