0

here is my ajax_handle file:

   if ($_SERVER['HTTP_X_REQUESTED_WITH'] !== "XMLHttpRequest") 
    {
        echo "Error"; 
        exit();

    }
    $req = explode("_",$_POST['req']);
    $className = $req[0] . "Controller" ;
    $methodName = $req[1];
    $file = "application/controllers/" . $className . ".php" ;
    require_once $file;
    if ($_POST['data']) {
        var_dump($_POST['data']);
    }
    $controller = new $className;
    $result = $controller->$methodName();
    echo json_encode($result);

I send the arguments as any array in the $_POST['data'] variable. i have no idea what would be the best way to pass them to the (dynamic) $methodName function.

Improve this question
3
  • 1
    I do not like the security problems with your code. I can probably require any file in the filesystem that ends with "Controller.php" by simply sending "../../WhateverPath/Any_xxx" in $_POST['req']. I can call ANY public method in the controller. Do check that the required file really is inside the path you think. Use realpath() to expand any relative path you might get, or forbid those characters entirely that might be "file path" relevant. Is there a reason the controller name can be ANY character on this planet? ASCII letters should be enough. Commented Jul 24, 2013 at 19:44
  • @Sven thank u for pointing this out, but how would you send an altered $_POST['req'] in an ajax call? Anyway im gonna make an ASCII filter or an allowed filnames array. Commented Jul 24, 2013 at 20:32
  • There is nothing that keeps me from sending a HTTP request to your server. And all the data inside is under my control. You might be able to obfuscate stuff, but I can always look at your ajax code to see what you are doing, do the same and then alter things to check for interesting behavior. Commented Jul 24, 2013 at 22:49

1 Answer 1

Reset to default
1

I suppose you could just pass $_POST['data'] as is to your dynamic method. You can have the dynamic method accept the array but initially set default values so you can easily handle and validate them. Example:

class AController
{
  public function dynamicMethod($params)
  {
    // Set default values but allow them to be overridden by $params
    $locals = array_merge(array(
      'name' => 'John Doe',
      'address' => 'Nowhere',
    ), $params);

    // Do stuffs and return result. Example:
    return array('nameAndAddress' => $locals['name'] . ' lives at ' . $locals['address']);
  }
}

You also opt to use extract() to convert the name and address above into real local variables.

In your ajax handle:

$controller = new $className;
$result = $controller->$methodName($_POST['data']);
echo json_encode($result);

With all these said, please note that what @Sven is saying is correct. There are some security issues in your current approach.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks Shiki! I found this solution call_user_func_array(array($controller, $methodName),$_POST['data'] )

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.