0

I an using the eval() function in an ajax file that will allow me to call functions from Javascript (similar to Securely calling PHP code from JavaScript);

I have around 20 functions that I want to be able to use. I do not want malicious code passed in. How can I verify that the string passed in is one of my functions, and nothing more?

Community
  • 1
  • 1
Wyatt
  • 493
  • 7
  • 18
  • Why not have your function in your php, and the javascript just pass in an a value that indicates which one of your functions should run? – Andrew Apr 02 '17 at 19:49
  • @Andrew That is what I am talking about doing. I am wondering how to verify it is a function, incase a hacker gets access to that ajax file. I don't want people passing in strings and having them executed when it's not one of my functions. – Wyatt Apr 02 '17 at 19:51
  • It depends on the environment; if your site is a user controlled where everyone have to login; then you can let sessions and cookies do the validation for you. And you can also filter incoming strings using `addslashes` and `htmlspecialchars` functions to reduce the chance of malicious data passing through. – Prav Apr 02 '17 at 19:55

2 Answers2

2

You are overcomplicating things by using eval to achieve this. You can simply define your functions on the server-side and switch to the correct one using a simple switch case. This way you do not have to worry about security-related issues.

jQuery:

function callPhp(func, callback){
    $.ajax({
    type: 'GET',
    url: 'callPhp.php',
    data: {action:'register'},
    success: function (data) {
        data = JSON.parse(data);
        callback(data);
    }
});
}

PHP:

<?php

$action = $_GET['action'];

switch ($action) {
    case "register":
        register_user();
        break;
    case "login":
        login();
        break;

?>

If you really want to use eval, which I highly discourage you to use, you can simply implement a sort of whitelist of method names that should be executed on the server side.

<?php

$whiteListMethod = array('register', 'login', 'forgotPassword');
$action = $_GET['action'];

// Is the user supplied function present in my whitelist?

if(in_array($action,$whiteListMethod)){

  // You can call this method safely

}else{

  // Hack attempt detected

}
Hyder B.
  • 10,900
  • 5
  • 51
  • 60
  • This would work, except for a problem. What if my functions each have their own set/number of parameters? – Wyatt Apr 02 '17 at 20:39
  • If the arguments is different for each function, you can simply create a multi-dimensional array. – Hyder B. Apr 03 '17 at 04:52
0

You can use the @Hyder B is method for that. personally I think that's the best option if you just want to call a function. Also if you're worried about someone getting access to your ajax files (other than viewing then through the browser's source reader); they can access the function file also so that something you'll need to improve on the server. You can however stop people from trying to load the functions file directly by adding this:

<?php
if (count(get_required_files()) <= 1) {
  header("location: ./index.php");
}
?>

That will redirect the user if the file is accessed directly.

Prav
  • 2,785
  • 1
  • 21
  • 30
  • You should've edited @HyderB 's post for this addition, as it's not an alone standing answer. – Nytrix Apr 02 '17 at 20:17
  • What if the function's have different parameters? – Wyatt Apr 02 '17 at 21:55
  • I believe you can pass parameters through ajax as well. Have a look at the link below. http://stackoverflow.com/questions/18697034/how-to-pass-parameters-in-ajax-post – Prav Apr 03 '17 at 06:15