I have a problem with get the connection variable for open a database connection.
This my code in html
<form action="password.php" method="post">
<div class="form-group">
<input type="password" class="form-control" name="current" placeholder="Contraseña Actual..." />
</div>
<div class="form-group">
<input type="password" class="form-control" name="new" placeholder="Nueva Contraseña..." />
</div>
<div class="form-group">
<input type="password" class="form-control" name="confirm" placeholder="Repetir Nueva Contraseña..." />
</div>
</div>
<div class="modal-footer">
<input type="hidden" name="q" value="proofQueries">
<button type="button" class="btn btn-default" data-dismiss="modal">Cerrar</button>
<button type="submit" class="btn btn-primary"><i class="fa fa-plus"></i> Cambiar</button>
</form>
While the code of my class php
$settings = new Datasettings();
require_once('../config.php'); // file of connection of PDO
$conexion = new Conexion();
if(isset($_POST['q'])){ // get the name from html form for go to a function of this class
$settings->$_POST['q']($conexion);
}
class Datasettings {
function __construct(){
session_start();
if(!isset($_SESSION['id'])){
header('location:mystyle.css');
}
}
function proofQueries($conexion){
}
... other functions....
Could change the model how I call a the function? How I could make it?
I assume by this code:
if(isset($_POST['q'])){ // get the name from html form for go to a function of this class
$settings->$_POST['q']($conexion);
}
And submitting the hidden form field called q with value proofQueries, you are trying to call $settings->proofQueries($conexion). This is an extremely bad idea.
You are effectively executing code that comes directly from client side, which is a HUGE vulnerability risk.
It seems like a strange approach to begin with to specify the function client side, and then execute it in PHP (i.e. server side). Why specifying the q value at all, instead of just explicitly doing $settings->proofQueries($conexion) in PHP?
If you somehow must specify the function to be called client side, do something like this:
if(isset($_POST['q'])){ // get member function from submitted form
$f = $_POST['q'];
if ($f=='proofQueries') {
$settings->proofQueries($conexion);
}
else {
die("Nope");
}
}
Or if you have multiple possible functions, explicitly filter them with a whitelist to make absolutely 100% sure that ONLY the function names you decide can be called:
if(isset($_POST['q'])){ // get member function from submitted form
$f = $_POST['q'];
$allowedFunctions = array('proofQueries','doSomething','otherFunction');
if (in_array($f,$allowedFunctions)) {
$settings->$f($conexion);
}
else {
die("Nope");
}
}
But again, it seems like a strange approach alltogether. You should not specify server side specific implementation details through client side.