Solved

// SURPRISE! $tmpStudent->foo = 'UNWANTED INJECTION';

Posted on 2013-12-04
6
220 Views
Last Modified: 2013-12-05
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28309697.html#a39695372


What are the ways to prevent:
// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
0
Comment
Question by:rgb192
  • 3
  • 2
6 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 39695747
There is no way to prevent that injection from occurring.  But you can simply ignore any variables that you did not declare.  And if you declare your variables to be protected, you will not get an injection because PHP will prevent it.  See line 9, 17, and 22.

Outputs:
Fatal error:  Cannot access protected property Student::$age in /public_html/RAY_temp_rgb192.php on line 17

<?php // RAY_temp_rgb192.php
error_reporting(E_ALL);
echo '<pre>';

// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28310003.html

class Student{
 private $name;
 protected $age;
 public function __construct($name,$age){
   $this->name=$name;
   $this->age=$age;
   $this->sum=$name+$age;
 }
}
$tmpStudent=new Student("Mindi","22");
echo "Age : ". $tmpStudent->age;
echo "<br>Sum:".$tmpStudent->sum;

// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
$tmpStudent->age = 33;

// SHOW THE NEWLY DAMAGED OBJECT
var_dump($tmpStudent);

// SHOW THAT THE NEWLY INJECTED "AGE" HAS NOT BEEN USED IN THE COMPUTATION OF THE "SUM"
echo "<br>Sum:".$tmpStudent->sum;

Open in new window

HTH, ~Ray
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 39696121
The __set magic method can help here, because it gets called whenever this is an attempt to modify the value of a property that is either undeclared or isn't normally accessible (e.g. a private property):

<?php
class InjectionProtection
{
    private $my_private_property;
    public $my_public_property;

    public function __set($name, $value)
    {
      throw new Exception("Trying to set a private or undeclared property: {$name}");
    }
}

$obj = new InjectionProtection;

try
{
	$obj->my_public_property = "foo"; // Allowed
	echo "Successfully set my_public_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

try
{
	$obj->my_private_property = "foo"; // Throws an exception
	echo "Successfully set my_private_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}
try
{
	$obj->my_undeclared_property = "foo"; // Throws an exception
	echo "Successfully set my_undeclared_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

?>

Open in new window


Should result in:
Successfully set my_public_property!
EXCEPTION: Trying to set a private or undeclared property: my_private_property
EXCEPTION: Trying to set a private or undeclared property: my_undeclared_property

Open in new window

0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 39696196
@gr8gonzo: Great call.  I had forgotten about that... Probably because I usually write my own get and set methods.  But it will definitely trap the disallowed settings.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 

Author Comment

by:rgb192
ID: 39697364
I do not understand how the set magic method is being called because only a property is
being called
$obj->my_private_property = "foo";

and not a method
$obj->method();
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 39697374
Here are the relevant man pages; all of them need to be understood to get the concept:

http://php.net/__callstatic
http://php.net/manual/en/language.oop5.magic.php
http://php.net/manual/en/language.oop5.overloading.php#object.set

Executive summary: It's "magic" and not part of the regular language syntax.  You can decide for yourself whether it's good or not.
0
 

Author Closing Comment

by:rgb192
ID: 39700237
And thank you for explanation of magic methods
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question