What are some modern ways to instantiate classes for polymorhism?

[dennis-fedco]

Is this an acceptable way to instantiate classes?

//$_SESSION['product'] = {'ProductA', 'ProductB', ... 'ProductX'} 

$p = new $_SESSION['product']();

$p->save();

I am usually used to calling out classes explicitly where class name is not a variable but a hardcoded string.  Sometimes I use if/then/else in order to do this. Here it is a variable and it bothers me a little bit.   But PHP allows me to do this.

Is this an acceptable latest & gratest modern PHP object oriented web technology technique or not ?

[Jacques1]

Unless you restrict the possible classes, this is a gigantic security vulnerability. The session values are not reliable and may have been injected by the user (this shouldn't happen in a properly written application, but it does). If you let your users instantiate arbitrary classes and call their methods, you're in deep trouble.

 

So, no, you can't just put the new operator in front of some input parameter. You need to actually check the class name before you create an instance.