douba1067 2016-09-24 02:43
浏览 21

从使用表单发送的类中获取连接变量

I have a problem with get the connection variable for open a database connection.

This my code in html

 <form action="password.php" method="post">
            <div class="form-group">
                <input type="password" class="form-control" name="current" placeholder="Contraseña Actual..." />
            </div>
            <div class="form-group">
                <input type="password" class="form-control" name="new" placeholder="Nueva Contraseña..." />
            </div>
            <div class="form-group">
                <input type="password" class="form-control" name="confirm" placeholder="Repetir Nueva Contraseña..." />
            </div>
            </div>
        <div class="modal-footer">
        <input type="hidden" name="q" value="proofQueries">
        <button type="button" class="btn btn-default" data-dismiss="modal">Cerrar</button>
        <button type="submit" class="btn btn-primary"><i class="fa fa-plus"></i> Cambiar</button>
        </form>

While the code of my class php 

$settings = new Datasettings();

require_once('../config.php'); // file of connection of PDO
$conexion = new Conexion();


if(isset($_POST['q'])){ // get the name from html form for go to a function of this class

    $settings->$_POST['q']($conexion);
}

class Datasettings {

    function __construct(){
       session_start();
        if(!isset($_SESSION['id'])){

            header('location:mystyle.css');  

        }
    }

    function proofQueries($conexion){
    }


... other functions....

Could change the model how I call a the function? How I could make it?

  • 写回答

1条回答 默认 最新

  • doulang2311 2016-11-27 15:20
    关注

    I assume by this code:

    if(isset($_POST['q'])){ // get the name from html form for go to a function of this class
  $settings->$_POST['q']($conexion);
}

    And submitting the hidden form field called q with value proofQueries, you are trying to call $settings->proofQueries($conexion). This is an extremely bad idea.

    You are effectively executing code that comes directly from client side, which is a HUGE vulnerability risk.

    It seems like a strange approach to begin with to specify the function client side, and then execute it in PHP (i.e. server side). Why specifying the q value at all, instead of just explicitly doing $settings->proofQueries($conexion) in PHP?

    If you somehow must specify the function to be called client side, do something like this:

    if(isset($_POST['q'])){ // get member function from submitted form
  $f = $_POST['q'];
  if ($f=='proofQueries') {
    $settings->proofQueries($conexion);
  }
  else {
    die("Nope");
  }
}

    Or if you have multiple possible functions, explicitly filter them with a whitelist to make absolutely 100% sure that ONLY the function names you decide can be called:

    if(isset($_POST['q'])){ // get member function from submitted form
  $f = $_POST['q'];
  $allowedFunctions = array('proofQueries','doSomething','otherFunction');
  if (in_array($f,$allowedFunctions)) {
    $settings->$f($conexion);
  }
  else {
    die("Nope");
  }
}

    But again, it seems like a strange approach alltogether. You should not specify server side specific implementation details through client side.

    评论

报告相同问题?

悬赏问题

  • ¥15 微信会员卡等级和折扣规则
  • ¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
  • ¥15 随身WiFi网络灯亮但是没有网络,如何解决?
  • ¥15 gdf格式的脑电数据如何处理matlab
  • ¥20 重新写的代码替换了之后运行hbuliderx就这样了
  • ¥100 监控抖音用户作品更新可以微信公众号提醒
  • ¥15 UE5 如何可以不渲染HDRIBackdrop背景
  • ¥70 2048小游戏毕设项目
  • ¥20 mysql架构,按照姓名分表
  • ¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分