1

I have a file functions.php which has multiple functions like:

function do_this(){
}

function do_that(){
}

Now, I am thinking doing something weird like calling that function from URL:

functions.php?func=do_that

Now, I added this lines of code to functions.php

if(isset($_GET["func"])){
    $func = $_GET["func"];
    //How to call that function with name "$func"

}

Any great brains out there? Let me know. If that's not possible, then also lemme know. Coz I have to think of a new approach in my work.

tika
  • 7,135
  • 3
  • 51
  • 82
  • I will let you know it is possible because I do it. :) Enjoy! – Jack M. Jul 30 '14 at 19:03
  • 2
    That's called a [_variable function_](http://php.net/manual/en/functions.variable-functions.php) in PHP. USE EXTREME CAUTION! Only execute functions which are in an array (whitelist) of acceptable values. Otherwise, you introduce a code injection vulnerability (a severe one) – Michael Berkowski Jul 30 '14 at 19:04
  • Yes. You can use call_user_func(); http://php.net/manual/en/function.call-user-func.php – Marcelo Camargo Jul 30 '14 at 19:05
  • 1
    You are advised to do something like `$allowed = array('do_this', 'do_that'); if (!in_array($_GET['func'], $allowed)) { // ERROR, don't execute! }` – Michael Berkowski Jul 30 '14 at 19:06

1 Answers1

0

All you need to do is to call the function as you get the $_GET variables like this:

if(isset($_GET["func"])){
    $func = $_GET["func"];
    $func();

}
Khalid
  • 4,730
  • 5
  • 27
  • 50
  • 3
    That isn't all that's needed. More protection is necessary to limit calls to acceptable functions. For example `script.php?func=phpinfo` would dump server information to the screen. – Michael Berkowski Jul 30 '14 at 19:09