Liquid Fire Posted January 29, 2008 Share Posted January 29, 2008 is there any security reason not to add variables to a object dynamically? I mean I know it is not the best thing to do but itis the best way to do something here? Quote Link to comment Share on other sites More sharing options...
Highlander Posted January 30, 2008 Share Posted January 30, 2008 look at __get() and __set() for classes http://se.php.net/manual/en/language.oop5.overloading.php Quote Link to comment Share on other sites More sharing options...
Liquid Fire Posted January 30, 2008 Author Share Posted January 30, 2008 not to sound rude or anything but that has nothing to do with my question. I know all about get and set methods. I have a variable I wanted to link to a object but it is not something that I want to add to the class itself because it is something that could be linked to any object and something that it not very common to have linked to it. I want just asking that if there was a security reason not to. I mean i can't think of one but was just asking. Quote Link to comment Share on other sites More sharing options...
trq Posted January 30, 2008 Share Posted January 30, 2008 Can you give a simple example? Quote Link to comment Share on other sites More sharing options...
Liquid Fire Posted January 30, 2008 Author Share Posted January 30, 2008 foreach($companies as $key => $company) { $mvc_link = $this->url_helper->get_mvc_link('site', 'company_redirect', array($company->get_id())); $companies[$key]->set_mvc_link($mvc_link); } Now mvc_link is not a member of company but this works because I can add variables dynamically. is their any security issue with this? Quote Link to comment Share on other sites More sharing options...
Liquid Fire Posted January 30, 2008 Author Share Posted January 30, 2008 Also would their be a performance hit? Quote Link to comment Share on other sites More sharing options...
deadimp Posted February 4, 2008 Share Posted February 4, 2008 I guess it would depend on the security that you impose on the devices that control these objects. [Heh, that sounded fancy] It boils down to context. There's places where it wouldn't much matter, and others where it could possibly kill the script/system. If you are careful and sanitize and limit the user's input there shouldn't be a problem. If you haphazardly sling together code into some sort of spaghetti-structured mess, you'll be in for a ride. Example of insecure code: <form action='this.php' method='post'> <input type='text' name='name' value='Bob><br> <input type='text' name='age' value='82'> </form> <? //Data class User { var $name, $age, $pass, $level; function __construct(...) { } function update() { ... Update user info in database ... } } $bob=new User('Bob',82,'flapjacks',User::Common); //Let's say User::Common==1, User::Admin==3 //Processing input foreach ($_POST as $var => $value) { $bob->$var=$value; } $bob->update(); ?> Seems harmless, until someone comes along and injects some HTML in your form, say something like "<input type='text' name='level' value='3'>" and has it process it. As for efficiency, once again, it depends. I doubt it'll be too much of a burden unless you decide to use variable variables the whole time, but even then it shouldn't be that bad. PHP is designed to be a dynamic language. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.