0

I an using the eval() function in an ajax file that will allow me to call functions from Javascript (similar to Securely calling PHP code from JavaScript);

I have around 20 functions that I want to be able to use. I do not want malicious code passed in. How can I verify that the string passed in is one of my functions, and nothing more?

Improve this question
3
  • Why not have your function in your php, and the javascript just pass in an a value that indicates which one of your functions should run? Commented Apr 2, 2017 at 19:49
  • @Andrew That is what I am talking about doing. I am wondering how to verify it is a function, incase a hacker gets access to that ajax file. I don't want people passing in strings and having them executed when it's not one of my functions. Commented Apr 2, 2017 at 19:51
  • It depends on the environment; if your site is a user controlled where everyone have to login; then you can let sessions and cookies do the validation for you. And you can also filter incoming strings using addslashes and htmlspecialchars functions to reduce the chance of malicious data passing through. Commented Apr 2, 2017 at 19:55

2 Answers 2

Reset to default
2

You are overcomplicating things by using eval to achieve this. You can simply define your functions on the server-side and switch to the correct one using a simple switch case. This way you do not have to worry about security-related issues.

jQuery:

function callPhp(func, callback){
    $.ajax({
    type: 'GET',
    url: 'callPhp.php',
    data: {action:'register'},
    success: function (data) {
        data = JSON.parse(data);
        callback(data);
    }
});
}

PHP:

<?php

$action = $_GET['action'];

switch ($action) {
    case "register":
        register_user();
        break;
    case "login":
        login();
        break;

?>

If you really want to use eval, which I highly discourage you to use, you can simply implement a sort of whitelist of method names that should be executed on the server side.

<?php

$whiteListMethod = array('register', 'login', 'forgotPassword');
$action = $_GET['action'];

// Is the user supplied function present in my whitelist?

if(in_array($action,$whiteListMethod)){

  // You can call this method safely

}else{

  // Hack attempt detected

}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This would work, except for a problem. What if my functions each have their own set/number of parameters?
If the arguments is different for each function, you can simply create a multi-dimensional array.
0

You can use the @Hyder B is method for that. personally I think that's the best option if you just want to call a function. Also if you're worried about someone getting access to your ajax files (other than viewing then through the browser's source reader); they can access the function file also so that something you'll need to improve on the server. You can however stop people from trying to load the functions file directly by adding this:

<?php
if (count(get_required_files()) <= 1) {
  header("location: ./index.php");
}
?>

That will redirect the user if the file is accessed directly.

Improve this answer

3 Comments

You should've edited @HyderB 's post for this addition, as it's not an alone standing answer.
What if the function's have different parameters?
I believe you can pass parameters through ajax as well. Have a look at the link below. stackoverflow.com/questions/18697034/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.