Adding variables dynamically

[Liquid Fire]

is there any security reason not to add variables to a object dynamically?  I mean I know it is not the best thing to do but itis the best way to do something here?

[Highlander]

look at __get() and __set() for classes http://se.php.net/manual/en/language.oop5.overloading.php

[Liquid Fire]

not to sound rude or anything but that has nothing to do with my question.  I know all about get and set methods.  I have a variable I wanted to link to a object but it is not something that I want to add to the class itself because it is something that could be linked to any object and something that it not very common to have linked to it.  I want just asking that if there was a security reason not to.  I mean i can't think of one but was just asking.

[trq]

Can you give a simple example?

[Liquid Fire]

foreach($companies as $key => $company)

{

    $mvc_link = $this->url_helper->get_mvc_link('site', 'company_redirect', array($company->get_id()));

    $companies[$key]->set_mvc_link($mvc_link);

}

 

Now mvc_link is not a member of company but this works because I can add variables dynamically.  is their any security issue with this?

[Liquid Fire]

Also would their be a performance hit?

[deadimp]

I guess it would depend on the security that you impose on the devices that control these objects. [Heh, that sounded fancy]

It boils down to context. There's places where it wouldn't much matter, and others where it could possibly kill the script/system.

If you are careful and sanitize and limit the user's input there shouldn't be a problem. If you haphazardly sling together code into some sort of spaghetti-structured mess, you'll be in for a ride.

 

Example of insecure code:

<form action='this.php' method='post'>
<input type='text' name='name' value='Bob><br>
<input type='text' name='age' value='82'>
</form>
<?
//Data
class User {
var $name, $age, $pass, $level;
function __construct(...) { }
function update() { ... Update user info in database ... }
}
$bob=new User('Bob',82,'flapjacks',User::Common); //Let's say User::Common==1, User::Admin==3
//Processing input
foreach ($_POST as $var => $value) {
$bob->$var=$value;
}
$bob->update();
?>

Seems harmless, until someone comes along and injects some HTML in your form, say something like "<input type='text' name='level' value='3'>" and has it process it.

 

As for efficiency, once again, it depends. I doubt it'll be too much of a burden unless you decide to use variable variables the whole time, but even then it shouldn't be that bad. PHP is designed to be a dynamic language.