473,320 Members | 1,845 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Is this class unsafe to use in my public PHP-scripts?

I have no idea if it's safe to use or not, so I have to ask you.

Expand|Select|Wrap|Line Numbers
  1.     class Requests {
  2.         private $type;
  3.         public function __construct($type='') {
  4.             $this->type = strtolower($type);
  5.             $this->createObject();
  6.         }
  7.         private function createObject() {
  8.             switch($this->type) {
  9.                 case 'post':
  10.                     $arr = $_POST;
  11.                     break;
  12.                 case 'get':
  13.                     $arr = $_GET;
  14.                     break;
  15.                 default:
  16.                     $arr = array_merge($_POST, $_GET);
  17.             }
  18.             foreach ($arr as $key => $value) {
  19.                 $this->$key = $value;
  20.             }
  21.         }
  22.     }
  23.  
Haha, I'm not able to explain how this code works in plain english, but I can explain in the following example:

Expand|Select|Wrap|Line Numbers
  1. $post = new Request('post'); //makes me use all $_POST-variables as an attribute of $post
  2.  
  3. /*
  4. Say the variables stored in $_POST are the following:
  5. key1 => value1
  6. key2 => value2
  7. key3 => value4
  8. key4 => value3
  9. */
  10.  
  11. echo $post->key1; // prints "value1"
  12. echo $post->key2; // prints "value2"
  13. echo $post->key3; // prints "value4"
  14. echo $post->key4; // prints "value3"
  15.  
I need to know if this code is (un)safe to use in my public PHP-scripts, as I think it's easier than always doing this:
Expand|Select|Wrap|Line Numbers
  1. $var1 = $_POST['key1']; //so that $var1 = value1
  2.  
Mar 15 '11 #1
5 1441
code green
1,726 Expert 1GB
Well it is safe because it will not work.
Have you tested this? What do you hope it does?
Mar 15 '11 #2
Dormilich
8,658 Expert Mod 8TB
it’s not unsafe per se, it’s just overcomplicating things. it is indeed way more simple to just use the superglobals or a union of them ($input = $_GET + $_POST; // or $_POST + $_GET, depending on which should have precedence) (superglobals are always an array, which might be just empty)
Mar 15 '11 #3
@green: Yes, it works.

@Dormi: In what way is it overcomplicating things?
Mar 15 '11 #4
Dormilich
8,658 Expert Mod 8TB
it is overcomplicating in that way, as you have to be aware of scope. while $_GET & $_POST are available everywhere in your script (they are superglobals, after all) any variable (be it a scalar or object) adheres to PHP’s scope rules (a variable is only visible inside the scope it was defined in). thus to use $post->key you first have to define $post, and that in every different scope (e.g. in every function you need it).

this becomes less of a problem, if the object does more than just fetching the data (e.g. validating the data).
Mar 15 '11 #5
dgreenhouse
250 Expert 100+
I'd say it could be very unsafe if you don't sanitize the data before you use it.

See:

SQL injection attacks:
http://php.net/manual/en/security.da...-injection.php

PHP code injection attacks:
http://www.theserverpages.com/articl...Explained.html

And yes...

It's a bit over complicated; unless you include data sanitizing and validation within the class...
There are also other ways of determining the type of request - POST or REQUEST.
Mar 15 '11 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: Phil Powell | last post by:
class NicknameVerifier { function NicknameVerifier() {} function isValid() { if ($fileID) { $content = fread($fileID, HTMLRetriever::MAX_URL_SIZE); fclose($fileID); if ($content)...
2
by: justin allen | last post by:
I'm wondering if there would be a way to do such a thing as overloading the () operator of a class in order to use that class as a callback function. I presently would love to do this with the...
0
by: Mark | last post by:
Is that possible? Hi all, (let's start with that), as usual i do not have enough time to dive into this, so i'm directing this question to u guys (him/her). We have a messagenamespace with...
3
by: Unemployed VC++ guy | last post by:
I have been playing around with C#, and rading some books: "Understanding ..NET" by David Chappell, and "Fast Track C#", by Wrox. The Chapell book does not mention any code that has a class being...
2
by: SirDarckCat | last post by:
Hello I have made a PHP class for making bots and webmessengers with PHP. Its use is very simple for example: This function will simply login to the .NET Passport account.. and show the...
3
by: eholz1 | last post by:
Hello php group, I have a dev server running php 5.0 and apache 2.2, I have created some php files that create classes, etc All works well with this. But when I copy the files to my hosting...
1
by: Nike | last post by:
I have a small question w.r.t nested class.. I see in many codes nested classes are declared as public.. First, of all my understanding is that you go in for a nested class if you are sure that...
2
by: Fred | last post by:
I've got the following code: #include <iostream> class Base{ private: virtual void f(int) { std::cout << "f in Base" << std::endl; } };
1
by: Sergei Riaguzov | last post by:
Is there a way to create an instance of a class SomeClass in PHP having a string "SomeClass"? The idea is to create instances on classes based on dynamic information obtained from $_POST. Like ...
1
by: perhapscwk | last post by:
I need a API/class for my PHP site to communicate with Salesforce. Any good suggestion?
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.