Dynamically load a class in PHP

Recently I visited a PHP forum where a user was asking how to "Dynamically Load A Class" in PHP using a variable.

He proceeded to make an invalid example like:

$module = new Mod_{$tmp_Name} ();

It is common in PHP to allow a PHP script to be extended just by adding extra classes. Theses classes are often found automatically and loaded from a variable in a string.

The problem is the solution that the user came up with is the most often used, but most insecure method. It was to use the eval function:

$toRun = "\$module = new Mod_{$toPass} ();";
eval ($toRun);

The eval command is a very powerful command. Used in correctly it can be a vary large security hole in your website.

The best method of dynamically loading a class in PHP that should have been used is:

$toRun = 'MyClass';
$instance = new $toRun();

Tags: Miscellaneous, Php, Programming, Web Development

Related Items:

• Editing live sites and the power of __autoload() in PHP 5
• Horde framework project
• Invalid host attack on PHP websites
• Notepad++
• Automatic Keyword Generator

Comments / Replies

• 

  Anand Says:
  25 September, 2008 at 2:12 pm

  Also one more comment on eval(). Many hosting company is not support this eval function.
  
  So this reduce your code portability between hosting servers
  
  So be careful on this

Add Comment / Reply

This website follows the ideas of the No Nofollow, I Follow, DoFollow, No-NoFollow movement. Leave a helpful comment and you will get a link without NoFollow (U Comment, I Follow).