• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

// SURPRISE! $tmpStudent->foo = 'UNWANTED INJECTION';

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28309697.html#a39695372


What are the ways to prevent:
// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
0
rgb192
Asked:
rgb192
  • 3
  • 2
2 Solutions
 
Ray PaseurCommented:
There is no way to prevent that injection from occurring.  But you can simply ignore any variables that you did not declare.  And if you declare your variables to be protected, you will not get an injection because PHP will prevent it.  See line 9, 17, and 22.

Outputs:
Fatal error:  Cannot access protected property Student::$age in /public_html/RAY_temp_rgb192.php on line 17

<?php // RAY_temp_rgb192.php
error_reporting(E_ALL);
echo '<pre>';

// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28310003.html

class Student{
 private $name;
 protected $age;
 public function __construct($name,$age){
   $this->name=$name;
   $this->age=$age;
   $this->sum=$name+$age;
 }
}
$tmpStudent=new Student("Mindi","22");
echo "Age : ". $tmpStudent->age;
echo "<br>Sum:".$tmpStudent->sum;

// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
$tmpStudent->age = 33;

// SHOW THE NEWLY DAMAGED OBJECT
var_dump($tmpStudent);

// SHOW THAT THE NEWLY INJECTED "AGE" HAS NOT BEEN USED IN THE COMPUTATION OF THE "SUM"
echo "<br>Sum:".$tmpStudent->sum;

Open in new window

HTH, ~Ray
0
 
gr8gonzoConsultantCommented:
The __set magic method can help here, because it gets called whenever this is an attempt to modify the value of a property that is either undeclared or isn't normally accessible (e.g. a private property):

<?php
class InjectionProtection
{
    private $my_private_property;
    public $my_public_property;

    public function __set($name, $value)
    {
      throw new Exception("Trying to set a private or undeclared property: {$name}");
    }
}

$obj = new InjectionProtection;

try
{
	$obj->my_public_property = "foo"; // Allowed
	echo "Successfully set my_public_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

try
{
	$obj->my_private_property = "foo"; // Throws an exception
	echo "Successfully set my_private_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}
try
{
	$obj->my_undeclared_property = "foo"; // Throws an exception
	echo "Successfully set my_undeclared_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

?>

Open in new window


Should result in:
Successfully set my_public_property!
EXCEPTION: Trying to set a private or undeclared property: my_private_property
EXCEPTION: Trying to set a private or undeclared property: my_undeclared_property

Open in new window

0
 
Ray PaseurCommented:
@gr8gonzo: Great call.  I had forgotten about that... Probably because I usually write my own get and set methods.  But it will definitely trap the disallowed settings.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
rgb192Author Commented:
I do not understand how the set magic method is being called because only a property is
being called
$obj->my_private_property = "foo";

and not a method
$obj->method();
0
 
Ray PaseurCommented:
Here are the relevant man pages; all of them need to be understood to get the concept:

http://php.net/__callstatic
http://php.net/manual/en/language.oop5.magic.php
http://php.net/manual/en/language.oop5.overloading.php#object.set

Executive summary: It's "magic" and not part of the regular language syntax.  You can decide for yourself whether it's good or not.
0
 
rgb192Author Commented:
And thank you for explanation of magic methods
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now