HeJian E-Commerce Consult

Execute a function specified by request:

$myfunc = $_GET['myfunc'];
$myfunc();

When use dynamic function load, attacker can execute any function:

index.php?myfunc=phpinfo


Check code for dynamic function

grep '$[0-9a-zA-Z]*(’ . -r


Protect from dynamic function vulnerability
disable register_globals