| Re: pass arbitrary vars into a func from another func? [message #177524 is a reply to message #177518] |
Fri, 06 April 2012 09:51  |
Erwin Moller
Messages: 228
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/4/2012 10:58 PM, Thomas Mlynarczyk wrote:
> J. Frank Parnell schrieb:
>
>> function echoToVar($func,$args = array()){
>> ob_start();
>> $func($args);
>> $ret= ob_get_contents();
>> ob_end_clean();
>> return $ret;
>> }
>>
>> but i'm not sure how to get the args into the variable func.
>
> You want <www.php.net/call-user-func-array>:
>
> function echoToVar( $func, array $args = array() )
> {
> ob_start();
> call_user_func_array( $func, $args );
> $ret = ob_get_contents();
> ob_end_clean();
> return $ret;
> }
>
> Greetings,
> Thomas
>
A little warning to Mr. Parnell, the original poster, concerning
call_user_func_array:
The above solution is good, but be sure you always know where your data
comes from, in this case the value for $func and $args.
If they MIGHT come from an user (via the web, or some other means), and
the values are unchecked, they might as well contain functionnames and
arguments that might cause trouble in your application.
If somebody knows anything about your software, or guesses some
functionnames, they might cause harm if their commands can be executed
without check via call_user_func_array().
In that sense call_user_func_array() suffers the same problems as
eval(), but to a lesser extend.
In case you (the programmer) is always delivering the values for the
functionnames, don't worry.
In case you have reason to distrust, take additional measures, like a
whitelist of functions.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]