SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 38 of 38
  1. #26
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    I would be extremely careful with that, that code will enable anyone to run any function they like on your server. Validate the function against a whitelist of allowed functions before calling it.
    Perhaps, it can be done like this:
    (wrote some quick validations)
    Code:
    <?php 
    $fun = $_GET['fun']; 
    
    if (empty($fun)) { 
    standard(); 
    } 
    else 
    {
    if($fun != "function1" || $fun != "function2" || $fun != "standard") {
    echo "do not mess with the code";
    } else {
    $fun();
    } 
    }
     
    function standard() { 
    echo "<a href=\"?fun=function1\">call function 1</a>";
    echo "<a href=\"?fun=function2\">call function 2</a>";
    } 
    function function1() { 
    if($fun != "function1"){ 
     echo "do not mess with the code";
    } else {
    
     echo "this shows function one";
    }   
    function function2() { 
    
    if($fun != "function2"){ 
     echo "do not mess with the code";
    } else {
     echo "this shows function two";
    }
    }
     
    ?>
    Or isn't this safe?

  2. #27
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,500
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    The code I posted is safe.

    This
    PHP Code:
    if($fun != "function1" || $fun != "function2" || $fun != "standard") { 
    doesn't work, because $fun can't have all 3 values at the same time.

  3. #28
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Just create an array of allowed functions, and use in_array() to check if the submitted function is in the allowed list. Much easier to maintain.

  4. #29
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I did this one now, like guido2004 did, but than without the switch cases.
    (I guess I just have something against switches)
    PHP Code:
    <?php 
    $fun 
    $_GET['fun']; 

    if (empty(
    $fun)) { 
    standard(); 
     } else {
    if(
    $fun == "function1" || $fun == "function2" || $fun == "standard") {
    $fun();
    } else {
    echo 
    "do not mess with the code";

    }
     
    function 
    standard() { 
    echo 
    "<a href=\"?fun=function1\">call function 1</a>";
    echo 
    "<a href=\"?fun=function2\">call function 2</a>";


    function 
    function1() { 
     echo 
    "this shows function one";
    }   

    function 
    function2() { 
     echo 
    "this shows function two";
    }

    ?>
    Anyway, it works, but is it secure?

  5. #30
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by guido2004 View Post
    The code I posted is safe.

    This
    PHP Code:
    if($fun != "function1" || $fun != "function2" || $fun != "standard") { 
    doesn't work, because $fun can't have all 3 values at the same time.
    Strange, if I turned it the other way, with
    PHP Code:
    if($fun == "function1" || $fun == "function2" || $fun == "standard") { 
    It works out real good now. Thnx !

  6. #31
    SitePoint Enthusiast v1rgil's Avatar
    Join Date
    Dec 2008
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can't possibly call a server side script just like you do with javascript BUT you can use javascript to call a specific php function within a php file using query string.

  7. #32
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bulevardi View Post
    Strange, if I turned it the other way, with
    PHP Code:
    if($fun == "function1" || $fun == "function2" || $fun == "standard") { 
    It works out real good now. Thnx !
    That isn't turning it the other way. You'd have to change the || to && if you wanted to make it 'opposite'.

    PHP Code:
    if (condition1 && condition2) {
     
    //dothing1
    } else {
     
    //dothing2
    }//if 
    is equivalent to

    PHP Code:
    if (!condition1 || !condition2) {
     
    //dothing2
    } else {
     
    //dothing1
    }//if 

  8. #33
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by v1rgil View Post
    you can't possibly call a server side script just like you do with javascript BUT you can use javascript to call a specific php function within a php file using query string.
    But on my way here http://www.sitepoint.com/forums/show...0&postcount=29

    Or on guido2004's way with the switch, it's possible to call php functions, even from the same script in the same page.

  9. #34
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You aren't calling the function directly though, you are reloading the page which triggers the function call, that is what v1rgil meant.

    You'd still be better off using an array of allowed functions.

    PHP Code:
    $strFunctionName $_GET['func'];

    $arrAllowedFunctions = array('function1''function2''function3');

    if (
    in_array($strFunctionName$arrAllowedFunctions)) {
     
    $strFunctionName();
    } else {
     default();
    }
    //if

    function default () {
    //dosomething
    }//function

    function function1 () {
    //dosomething
    }//function

    function function2 () {
    //dosomething
    }//function 

  10. #35
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    That isn't turning it the other way. You'd have to change the || to && if you wanted to make it 'opposite'.
    Hmm yeah, I see. I made it up too quick I guess...
    But:
    PHP Code:
    if($fun == "function1" || $fun == "function2" || $fun == "standard"

    $fun(); 
    } else { 
    echo 
    "do not mess with the code"

    is quite the same as:
    PHP Code:
    if($fun != "function1" && $fun != "function2" && $fun != "standard"

    echo 
    "do not mess with the code"
    } else { 
    $fun(); 

    or not ?

    Anyway, you can turn it around as much as you want, but the actually question was if it is secure working with this validation in it or not?

  11. #36
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yes, those 2 bits of code are equivalent, and it would work fine for validation.

  12. #37
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm, I'll read a bit more about these array things later on this weekend. (I got to go now)
    But you guys certainly helped me answering my questions !
    Thanks!

  13. #38
    SitePoint Addict
    Join Date
    Dec 2008
    Location
    Brussels
    Posts
    377
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bulevardi View Post
    Hmm, I'll read a bit more about these array things later on this weekend. (I got to go now)
    But you guys certainly helped me answering my questions !
    Thanks!
    Still haven't got the time to read it, so...
    ... but will do later on !!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •