1

I have read that there may be a security risk with something like this:

Calling file:

<p><a href="'.plugin_dir_url( __FILE__ ).'form-add-edit.php?funct=add_edit_form">Add a Date</a></p>

Called file/function has this at the top:

<?php 
if ( $_GET['funct'] == 'add_edit_form' ) {
    add_edit_form();
} else {
    die;
}

function add_edit_form() {
etc.
?>

If a no-no, then what is the best practice? I considered jQuery/ajax but that doesn't seem any better.

UPDATE: The above was untested. This is what actually works, secure or not:

if ( isset($_GET['funct']) && $_GET['funct'] == 'add_edit_form' ) {
    add_edit_form();
}
Improve this question
4
  • There is nothing inherently wrong with your example, the problem in the referenced post was that it could allow executing arbitrary code, but you're only allowing your specified functions so it's not an issue. But since you're doing that, you don't need to use the actual function name or call the parameter "funct", which can make it obvious what you're doing and invites troublemakers to try to abuse it. Typically you would call your parameter something generic like "action". What you have here is a rudimentary "controller", the approach is perfectly sound. Commented Jul 8, 2021 at 2:49
  • so, 'form-add-edit.php?action=add_edit_form is symantically better? Commented Jul 8, 2021 at 3:23
  • IMO yes, but it's not that important. If it's the only action that form-add-edit.php performs, you could just do action=submit. Commented Jul 8, 2021 at 3:34
  • Why not just require_once the file containing the function and then call it where you want? Isn't it the point that you can embed PHP into HTML templates to generate the missing parts for the DOM? Commented Jul 8, 2021 at 5:42

1 Answer 1

Reset to default
0

When done right, it can be a way to avoid routing for web applications. I've implemented this scheme for my application, but I can not recommend this approach for web sites since the URLs will not be SEO friendly.

As others point out, the danger lies in allowing anybody to execute arbritrary code on your machine. To avoid that, you'll need to sanitise the input first. It can be done with Reflection, for allowing only one type of class to be executed, with only scalar parameters.

A big disadvantage of the approach is that Reflection is relatively slow, so the number of routes (to functions) need to be rather large before this scheme pays off in terms of performance. There are other disadvantes, for example when you want to have breadcrumbs you still need to have an hierarchical map of the classes and functions, which makes the choice for traditional routing more obvious.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.