dennis-fedco Posted December 18, 2014 Share Posted December 18, 2014 Is this an acceptable way to instantiate classes? //$_SESSION['product'] = {'ProductA', 'ProductB', ... 'ProductX'} $p = new $_SESSION['product'](); $p->save(); I am usually used to calling out classes explicitly where class name is not a variable but a hardcoded string. Sometimes I use if/then/else in order to do this. Here it is a variable and it bothers me a little bit. But PHP allows me to do this. Is this an acceptable latest & gratest modern PHP object oriented web technology technique or not ? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 18, 2014 Share Posted December 18, 2014 (edited) Unless you restrict the possible classes, this is a gigantic security vulnerability. The session values are not reliable and may have been injected by the user (this shouldn't happen in a properly written application, but it does). If you let your users instantiate arbitrary classes and call their methods, you're in deep trouble. So, no, you can't just put the new operator in front of some input parameter. You need to actually check the class name before you create an instance. Edited December 18, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.