Benjamin Crozat "What if you cut code review time & bugs in half, instantly?" Start free for 14 days→

ashallendesign.co.uk

PHP dynamic method call dangers →

Dynamic method calls in PHP feel neat, but they can bite.

Ash Allen shows how letting user input pick a method like $obj->$name() can open doors you did not mean to open. Think surprise deletes. Think hidden debug paths.

What I liked most is the simple fix. Do not call methods straight from user input. Map input to safe actions instead.

Bad

$action = $_GET['action'];
$controller->$action();

Better

$action = $_GET['action'] ?? '';
$map = [
  'index' => 'showIndex',
  'store' => 'storePost',
];

if (!isset($map[$action])) {
  http_response_code(404);
  exit;
}

$controller->{$map[$action]}();

He also reminds us to use allowlists, check is_callable, and avoid magic catch‑alls like __call for user input paths.

If you ever map routes or commands in PHP, this is a quick read that can save a long night of bugs and security headaches.

Read more on ashallendesign.co.uk →


Did you like this article? Then, keep learning:

Help me reach more people by sharing this article on social media!

0 comments

Guest

Markdown is supported.

Hey, you need to sign in with your GitHub account to comment. Get started →

Great tools for developers

Search for posts and links

Try to type something…