I have used call_user_func_array() to pass the arguments to the function. The syntax would be:
Since I have used $_GET we can pass the function and its arguments during runtime.
When we pass the URL like that the actual parameters would be like the following.
call_user_func_array("user", ['Osanda', 'secret', 'firstname.lastname@example.org']);
Don’t you see the loophole? 😉 Why not we can call any PHP function. The first thing that comes to my mind is phpinfo()
What about code execution? Yeah it is possible. For example we can call passthru() and pass the arguments nicely.
http://localhost/?func=passthru&args=systeminfo | findstr /C:"OS"
The simplest way to mitigate these kind of arbitrary calling of functions you could add a prefix to your functions. You can of course think of better solutions than this depending on your situation. But in this case for example instead of:
function User($user, $pass, $email)
you can add something like
function secure_User($user, $pass, $email)
Also make sure you concatenate the prefix to the GET request in call_user_func_array()