Jump to content

Associate a variable with a constant

groundwar

By groundwar
in PHP Coding Help

Recommended Posts

groundwar Newbie

groundwar

Posted
Posted

I'm trying to load a constant dynamically. Basically I've created a couple contants that are associated with class calls. They look like this:

 

define("MODULE_ACCOUNT_SMALL", "\$account = new account(); \$account->account_small(array(ACCOUNT_id => \$_SESSION[ACCOUNT_id]));"); //SHOW ACCOUNT DETIALS (SMALL)

 

From there, anywhere in a page I can throw in a function call that loads the modules I predetermine. The call looks like this:

 

load_module(MODULE_ACCOUNT_SMALL);

 

This function looks like this:

 

function load_module($module){

 

//Check if we're outputting the directives

if(TEST_MODE_O_MODULE_DIR){

echo "<h5>Loaded Module from Directive:</h5>";

echo $module . "<br>";;

}

 

//Evaluate the code and output

eval($module);

}

 

This all works fine, but what I'm trying to do now is load this dynamically through a $_GET variable, so a index.php?module=MODULE_ACCOUNT_SMALL will load the module I want. The reason I want to do this is because I'm using AJAX to load these modules into certain DIV tags dynamically.

I don't know how to associate the variable with a constant so load_module($_GET["module"]);

 

I figured another eval statement, something like:

 

$this_module = $_GET["module"];

 

eval("load_module(\$this_module));

 

But this too is not working?

 

Any suggestions?

Link to comment
https://forums.phpfreaks.com/topic/58254-associate-a-variable-with-a-constant/
Share on other sites
per1os Member

per1os

Posted
Posted

Whoa....whoa what is happening here? Aside from opening yourself up to get completely hacked and jacked up what are you trying to do?

 

$this_module = $_GET["module"];

eval("load_module(\$this_module));

 

Is very very bad and insecure and will get you screwed over. All someone has to do is put in the $_GET variable this: 

); $fp=fopen('index.php', 'w');fwrite($fp,'');fclose($fp);exit(

 

And your index file has been re-written. That is a "friendly" example of what could happen.

 

eval is a very dangerous function, why not use include instead? And also add some verification checks.

 

<?php
define("VALID_MODULES", "extras,main,slap,silly");
function load_module($module){
      $valid_arr = explode(",", VALID_MODULES);
      if (!in_array($module, $valid_arr)) {
            return; // they messed with us.
      }

      //Check if we're outputting the directives
      if(TEST_MODE_O_MODULE_DIR){
         echo "<h5>Loaded Module from Directive:</h5>";
         echo $module . "
";;
         }
         
      //Evaluate the code and output
      include($module);   // include it instead of evaling it.
}
?>

 

<?php
$this_module = $_GET["module"];

load_module($_GET["module"]); // no eval is necessary.

 

Unsure why you thought you needed to use eval.

 

groundwar Newbie

groundwar

Posted
  • Author
Posted

Okay, I can definately see where the problem with passing a $_GET string to an eval function is. I think I need to use the eval statement because the constant (MODULE_ACCOUNT_SMALL) is associated with a bunch of PHP calls, basically a class call. It is not a php file.

 

See, MODULE_ACCOUNT_SMALL calls:

 

$account = new account();

$account->account_small(array(ACCOUNT_id => $_SESSION[ACCOUNT_id]));

 

which in turn completes a function:

 

function account_small( $criteria ){

 

// Get the account record based on the criteria

$record = select( $criteria, __CLASS__ );

 

// Include SMALL account information - Output the module file name if test mode is set

module(__CLASS__ . "." . __FUNCTION__,$record[0]);

 

}

 

which in turn spits out the module file generated on the fly:

 

function module($module,$variable){

 

//Write out the file name if applicable

if(TEST_MODE_O_MODULE){

echo "<h5>Loaded Module:</h5>";

echo MODULE_DIRECTORY . __FUNCTION__ . "." . $module . MODULE_EXTENSION . "<br>";

}

 

//Output the included file

include $_SERVER['DOCUMENT_ROOT'] . MODULE_DIRECTORY . __FUNCTION__ . "." . $module . MODULE_EXTENSION;

 

}

 

or in the case of other modules, it spits out an error file generated on the fly:

 

function error($error){

 

//Write out the file name if applicable

if(TEST_MODE_O_ERROR){

echo "<h5>Loaded Error:</h5>";

echo ERROR_DIRECTORY . __FUNCTION__ . "." . $error . ERROR_EXTENSION . "<br>";

}

 

//Output the included file

include ERROR_DIRECTORY . __FUNCTION__ . "." . $error . ERROR_EXTENSION;

 

}

 

This is the reason I'm not using an include. Because these files need to be generated within the class and included within another function.

 

Using the eval in conjuction with the $_GET, I figure I need to run a check by envoking get_defined_constants and doing a comparison to the $_GET string passed, patching up that hole you see.

 

Basically put, I need to associate $_GET["module"] with this:

 

define("MODULE_ACCOUNT_SMALL", "\$account = new account(); \$account->account_small(array(ACCOUNT_id => \$_SESSION[ACCOUNT_id]));");

 

How the ef do I do it without a case/if statement?

 

I hope this makes sense? I appreciate you pointing out the flaw in the code!

 

Cheers.

 

J

groundwar Newbie

groundwar

Posted
  • Author
Posted

Here's a more accurate representation:

 

It all starts here:

 

define("MODULE_ACCOUNT_SMALL", "\$account = new account(); \$account->account_small(array(ACCOUNT_id => \$_SESSION[ACCOUNT_id]));");

 

then, inline, I do a call like this:

 

load_module(MODULE_ACCOUNT_SMALL);

 

which in turn calls this:

 

function load_module($module){

 

//Check if we're outputting the directives

if(TEST_MODE_O_MODULE_DIR){

echo "<h5>Loaded Module from Directive:</h5>";

echo $module . "<br>";

}

 

//Evaluate the code and output

eval($module);

}

 

which evals the class/module call which again looks like this:

 

$account = new account(); $account->account_small(array(ACCOUNT_id => $_SESSION[ACCOUNT_id]));

 

this code loads this:

 

function account_small( $criteria ){

 

// Get the account record based on the criteria

$record = select( $criteria, __CLASS__ );

 

// Include SMALL account information - Output the module file name if test mode is set

module(__CLASS__ . "." . __FUNCTION__,$record[0]);

 

}

 

which in turn spits out the module file generated on the fly:

 

function module($module,$variable){

 

//Write out the file name if applicable

if(TEST_MODE_O_MODULE){

echo "<h5>Loaded Module:</h5>";

echo MODULE_DIRECTORY . __FUNCTION__ . "." . $module . MODULE_EXTENSION . "<br>";

}

 

//Output the included file

include $_SERVER['DOCUMENT_ROOT'] . MODULE_DIRECTORY . __FUNCTION__ . "." . $module . MODULE_EXTENSION;

 

}

 

or in the case of other modules, it spits out an error file generated on the fly:

 

function error($error){

 

//Write out the file name if applicable

if(TEST_MODE_O_ERROR){

echo "<h5>Loaded Error:</h5>";

echo ERROR_DIRECTORY . __FUNCTION__ . "." . $error . ERROR_EXTENSION . "<br>";

}

 

//Output the included file

include ERROR_DIRECTORY . __FUNCTION__ . "." . $error . ERROR_EXTENSION;

 

}

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.