Solved

// SURPRISE! $tmpStudent->foo = 'UNWANTED INJECTION';

Posted on 2013-12-04
6
215 Views
Last Modified: 2013-12-05
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28309697.html#a39695372


What are the ways to prevent:
// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
0
Comment
Question by:rgb192
  • 3
  • 2
6 Comments
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 39695747
There is no way to prevent that injection from occurring.  But you can simply ignore any variables that you did not declare.  And if you declare your variables to be protected, you will not get an injection because PHP will prevent it.  See line 9, 17, and 22.

Outputs:
Fatal error:  Cannot access protected property Student::$age in /public_html/RAY_temp_rgb192.php on line 17

<?php // RAY_temp_rgb192.php
error_reporting(E_ALL);
echo '<pre>';

// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28310003.html

class Student{
 private $name;
 protected $age;
 public function __construct($name,$age){
   $this->name=$name;
   $this->age=$age;
   $this->sum=$name+$age;
 }
}
$tmpStudent=new Student("Mindi","22");
echo "Age : ". $tmpStudent->age;
echo "<br>Sum:".$tmpStudent->sum;

// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
$tmpStudent->age = 33;

// SHOW THE NEWLY DAMAGED OBJECT
var_dump($tmpStudent);

// SHOW THAT THE NEWLY INJECTED "AGE" HAS NOT BEEN USED IN THE COMPUTATION OF THE "SUM"
echo "<br>Sum:".$tmpStudent->sum;

Open in new window

HTH, ~Ray
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 39696121
The __set magic method can help here, because it gets called whenever this is an attempt to modify the value of a property that is either undeclared or isn't normally accessible (e.g. a private property):

<?php
class InjectionProtection
{
    private $my_private_property;
    public $my_public_property;

    public function __set($name, $value)
    {
      throw new Exception("Trying to set a private or undeclared property: {$name}");
    }
}

$obj = new InjectionProtection;

try
{
	$obj->my_public_property = "foo"; // Allowed
	echo "Successfully set my_public_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

try
{
	$obj->my_private_property = "foo"; // Throws an exception
	echo "Successfully set my_private_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}
try
{
	$obj->my_undeclared_property = "foo"; // Throws an exception
	echo "Successfully set my_undeclared_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

?>

Open in new window


Should result in:
Successfully set my_public_property!
EXCEPTION: Trying to set a private or undeclared property: my_private_property
EXCEPTION: Trying to set a private or undeclared property: my_undeclared_property

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39696196
@gr8gonzo: Great call.  I had forgotten about that... Probably because I usually write my own get and set methods.  But it will definitely trap the disallowed settings.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:rgb192
ID: 39697364
I do not understand how the set magic method is being called because only a property is
being called
$obj->my_private_property = "foo";

and not a method
$obj->method();
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39697374
Here are the relevant man pages; all of them need to be understood to get the concept:

http://php.net/__callstatic
http://php.net/manual/en/language.oop5.magic.php
http://php.net/manual/en/language.oop5.overloading.php#object.set

Executive summary: It's "magic" and not part of the regular language syntax.  You can decide for yourself whether it's good or not.
0
 

Author Closing Comment

by:rgb192
ID: 39700237
And thank you for explanation of magic methods
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now