3

Could someone please help to understand this syntaxe trick in php:

enter $controller->{$_GET['action']}();

I'm talking about the

{$_GET['action']}();

I'm trying to understand the mvc pattern on this blog http://r.je/mvc-in-php.html but it's realy help my if I could understand this syntax trick...

Thanks

user2970464
  • 33
  • 3

4 Answers4

4

It's a way to dynamically access a member of an object.

$key = 'test';
$object->{$key}

Is equivalent to:

$object->test

In your example, someone is running whatever method specified by $_GET['action'] (which is the action variable in the querystring) on the $controller.

See variable variables and variable functions in the manual.

Brad
  • 146,404
  • 44
  • 300
  • 476
  • Another use case would be: `echo "value: {$_GET['action']}";` This will not work: `echo "value: $_GET['action']";` – ficuscr Nov 08 '13 at 21:24
  • @ficuscr I highly recommend not using variables within string literals anyway. They're hard to spot, and can be problematic. I would prefer to use `echo 'value: ', $_GET['action']` for your example. Also, don't forget `htmlspecialchars()` if you're outputting data in the context of HTML. – Brad Nov 08 '13 at 21:24
  • The main point is: This answer starts wrong, because there is NO PROPERTY being accessed, but a METHOD being called. This is something very different. – Sven Nov 08 '13 at 21:27
  • @Brad I'm not sure I fully agree - a . concatenated . mess is not necessarily any easier to read. I say whatever is more readable is the way to go. And as for escaping that is neither here nor there, all I was doing was trying to explain how curly braces are used in PHP. – ficuscr Nov 08 '13 at 21:50
  • Who downvoted this and why? You're going to downvote a correct answer, and not offer any explanation? You're wasting everyone's time. – Brad Nov 08 '13 at 23:45
3

Ugh. That is ugly code. Like really ugly code.

So you have an object $controller and they're using $_GET['action'] to call a method inside $controller. So say you had page.php?action=call. It would be the same as calling

$controller->call();

This is a really bad idea, tho. You should NEVER accept raw untrusted data to execute code. Massive security holes there.

Machavity
  • 28,730
  • 25
  • 78
  • 91
  • It isn't necessarily a security hole. It all depends on how you have structured that controller. You're not just accepting arbitrary code and running it, you're only running what methods are public on that controller. – Brad Nov 08 '13 at 21:26
  • True, but a user could call methods you don't necessarily want called. At the very best, end users can break your script by passing bad function names in the query string (will produce a Fatal error calling undefined methods). – Machavity Nov 08 '13 at 21:27
  • At least the outside world can call ANY method existing in that class. And if $controller is also variable, probably the class being used is also not determined. – Sven Nov 08 '13 at 21:28
  • @Sven They can't call any method... they can only call public methods. And, what makes you think that having an instance in a variable means it isn't specifically defined elsewhere? – Brad Nov 08 '13 at 21:29
  • The assumption of only being able to call public methods can be wrong, depending on the other code. It is safer to assume everything can be called than be surprised afterwards. And even being able to call every public function might be a bad thing. – Sven Nov 08 '13 at 21:33
  • @Sven Of course it can be a bad thing, but it can also be a good thing. My point is it depends on how you architect what you are building, and is not a black/white answer. – Brad Nov 08 '13 at 23:45
1

It takes whatever string was passed in via the action query parameter, and tries to execute it as a function. e.g.

http://example.com/index.php?action=whatever

will end up being the equivalent of having

$controller->whatever();

in the code.

Marc B
  • 340,537
  • 37
  • 382
  • 468
0

Thanks a lot for your help. So when I do : $controller->{$_GET ['action']} ();

I' am accessing dynamically to a member of an object. In this case it's the controller. In the tutorial the method that has been called is "textclicked". So it's what the line code up there does. Thanks a lot for your help. It's help me a lot

user2970464
  • 33
  • 3