Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:

call_user_func_array(function, param_arr)

Since I have used $_GET we can pass the function and its arguments during runtime.


When we pass the URL like that the actual parameters would be like the following.

call_user_func_array("user", ['Osanda', 'secret', 'abc@abc.com']);

Donโ€™t you see the loophole? ๐Ÿ˜‰ Why not we can call any PHP function. The first thing that comes to my mind is phpinfo()


What about code execution? Yeah it is possible. For example we can call passthru() and pass the arguments nicely.

http://localhost/?func=passthru&args[]=systeminfo | findstr /C:"OS"

The simplest way to mitigate these kind of arbitrary calling of functions you could add a prefix to your functions. You can of course think of better solutions than this depending on your situation. But in this case for example instead of:

function User($user, $pass, $email)

you can add something like

function secure_User($user, $pass, $email)

Also make sure you concatenate the prefix to the GET request in call_user_func_array()

call_user_func_array("secure_".$_GET['func'], $_GET['args']);

Now if you try to request any arbitrary function PHP will throw an error since we have concatenated “secure_” prefix to the calling function.


Thanks for reading!

5 thoughts on “Dynamic Function Injection in PHP

  1. Really nice article this is improving programming skill and increasing my knowledge about it. I know about the dynamic function in the PHP Development course and some doubts are clear through this article, this is more useful for me.


Leave a Reply to razvan Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.