// SURPRISE! $tmpStudent->foo = 'UNWANTED INJECTION';

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28309697.html#a39695372


What are the ways to prevent:
// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
LVL 1
rgb192Asked:
Who is Participating?
 
Ray PaseurConnect With a Mentor Commented:
There is no way to prevent that injection from occurring.  But you can simply ignore any variables that you did not declare.  And if you declare your variables to be protected, you will not get an injection because PHP will prevent it.  See line 9, 17, and 22.

Outputs:
Fatal error:  Cannot access protected property Student::$age in /public_html/RAY_temp_rgb192.php on line 17

<?php // RAY_temp_rgb192.php
error_reporting(E_ALL);
echo '<pre>';

// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28310003.html

class Student{
 private $name;
 protected $age;
 public function __construct($name,$age){
   $this->name=$name;
   $this->age=$age;
   $this->sum=$name+$age;
 }
}
$tmpStudent=new Student("Mindi","22");
echo "Age : ". $tmpStudent->age;
echo "<br>Sum:".$tmpStudent->sum;

// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
$tmpStudent->age = 33;

// SHOW THE NEWLY DAMAGED OBJECT
var_dump($tmpStudent);

// SHOW THAT THE NEWLY INJECTED "AGE" HAS NOT BEEN USED IN THE COMPUTATION OF THE "SUM"
echo "<br>Sum:".$tmpStudent->sum;

Open in new window

HTH, ~Ray
0
 
gr8gonzoConnect With a Mentor ConsultantCommented:
The __set magic method can help here, because it gets called whenever this is an attempt to modify the value of a property that is either undeclared or isn't normally accessible (e.g. a private property):

<?php
class InjectionProtection
{
    private $my_private_property;
    public $my_public_property;

    public function __set($name, $value)
    {
      throw new Exception("Trying to set a private or undeclared property: {$name}");
    }
}

$obj = new InjectionProtection;

try
{
	$obj->my_public_property = "foo"; // Allowed
	echo "Successfully set my_public_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

try
{
	$obj->my_private_property = "foo"; // Throws an exception
	echo "Successfully set my_private_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}
try
{
	$obj->my_undeclared_property = "foo"; // Throws an exception
	echo "Successfully set my_undeclared_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

?>

Open in new window


Should result in:
Successfully set my_public_property!
EXCEPTION: Trying to set a private or undeclared property: my_private_property
EXCEPTION: Trying to set a private or undeclared property: my_undeclared_property

Open in new window

0
 
Ray PaseurCommented:
@gr8gonzo: Great call.  I had forgotten about that... Probably because I usually write my own get and set methods.  But it will definitely trap the disallowed settings.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
rgb192Author Commented:
I do not understand how the set magic method is being called because only a property is
being called
$obj->my_private_property = "foo";

and not a method
$obj->method();
0
 
Ray PaseurCommented:
Here are the relevant man pages; all of them need to be understood to get the concept:

http://php.net/__callstatic
http://php.net/manual/en/language.oop5.magic.php
http://php.net/manual/en/language.oop5.overloading.php#object.set

Executive summary: It's "magic" and not part of the regular language syntax.  You can decide for yourself whether it's good or not.
0
 
rgb192Author Commented:
And thank you for explanation of magic methods
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.