开发者

Is it secure to use a controller, module or action name to set include paths?

开发者 https://www.devze.com 2022-12-13 13:11 出处:网络
I want to set up include paths (and other paths, like view script paths) based on the module being accessed.Is this safe?If not, how could I safely set up include paths dynamically?I\'m doing somethin

I want to set up include paths (and other paths, like view script paths) based on the module being accessed. Is this safe? If not, how could I safely set up include paths dynamically? I'm doing something like the code below (this is from a controller plugin.)

public function dispatchLoopStartup(Zend_Controller_Request_Abstract $request) {

    $modName = $request->getModuleName();
    $modulePath = APP_PATH.'/modules/'.$modName.'/classes';
    set_include_path(get_include_p开发者_如何学Pythonath().PATH_SEPARATOR.$modulePath);

}


I'm not sure whether it is safe or not, but it doesn't sound like the best practice. What if someone entered a module name like ../admin/? You should sanitize the module name before using it.


It's fine as long as you sanitize your variables before using them, but it won't be very performant. Fiddling with include paths at runtime causes a serious impact performance.

You're trying to load models/helpers per module? You should look at Zend_Application:

Zend_Application provides a bootstrapping facility for applications which provides reusable resources, common- and module-based bootstrap classes and dependency checking. It also takes care of setting up the PHP environment and introduces autoloading by default.

Emphasis by me

0

精彩评论

暂无评论...
验证码 换一张
取 消