Tricking PHP __autoload into loading other files

  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

Consider the following directory structure.

Code: [ Select ]
test.php
class.php
test/class.php
  1. test.php
  2. class.php
  3. test/class.php


Consider the following code.

PHP Code: [ Select ]
<?php
 
function __autoload($classname)
{
   include("test/$classname.php");
}
 
$class = '../class';
 
$obj = new $class;
 
?>
  1. <?php
  2.  
  3. function __autoload($classname)
  4. {
  5.    include("test/$classname.php");
  6. }
  7.  
  8. $class = '../class';
  9.  
  10. $obj = new $class;
  11.  
  12. ?>


On the system I tried, that will load and execute "class.php" instead of the intended "test/class.php" before a fatal non-existent class error is thrown. __autoload doesn't seem check for correct syntax for a class name like one might think.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

Wow that is slick. I am not a fan of autoloading features (it suggests bad planning), but this is a wierd glitch.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

I guess the chances of someone building a dynamic class name using user input are pretty slim to begin with. I have a feeling that if it actually did happen though, it would happen with someone who also wasn't sanitizing input very well. Similar to how sometimes you'll see something like include($_GET['mode']);

I've grown to like the __autoload function, especially during development. It allows me to simply throw class files in a folder and start using the class throughout the rest of the application. It seems to help with keeping the size of a "skeleton application" fairly small too.

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.