I have the following piece of PHP code:
class test {
function print_number() {
echo 5;
}
}
$myclass = new test();
$methodname = $_GET['f']";
$myclass->$methodname();
It outputs 5
when executed with f
as print_number
. Is this a secure thing to do? Can changing the value of $methodname
to cause arbitrary code execution? Is it possible, for example, to force a phpinfo()
or eval()
by changing the value of $methodname
? Or am I safe?