How Dynamic Method Calls Can Cripple Your PHP App—and Simple Fixes

Introduction

In PHP it is common to call a method dynamically using a variable, e.g. $controller->{$action}(), where $action comes from user input such as $_GET['action']. While convenient for routing or command handling, this pattern can lead to severe security issues, unexpected behavior, and data loss.

Danger 1: Accidental Execution of Destructive Operations

Consider a controller with a deleteUser method. A naïve router might look like:

class UserController {
    public function deleteUser() {
        echo 'User deleted';
    }
    public function listUsers() {
        echo 'User list';
    }
}

$action = $_GET['action'] ?? 'listUsers';
$controller = new UserController();
$controller->$action();

An attacker could request /users?action=deleteAllUsers and, if a hidden deleteAllUsers method exists (or if __call forwards the call), the entire database could be wiped. Even without such a method, a magic __call implementation might invoke unintended code.

Real‑world example: A production system received the input 'delete' , which matched an internal cleanup function and unintentionally dropped an entire table.

Danger 2: Exposing Hidden Debug or Internal Methods

Developers often add debugging helpers like dumpData or showSecrets. If these are callable via user input, an attacker can retrieve sensitive information:

class DebugController {
    public function dumpData() {
        var_dump($this->getAllSensitiveData());
    }
}

Calling $controller->$action() with 'dumpData' would expose the data.

Danger 3: Misuse of the Magic __call Method

The __call magic method catches undefined method calls. When combined with user‑supplied names, it can amplify risks, potentially leading to code injection or unexpected behavior.

class MagicController {
    public function __call($name, $arguments) {
        if (method_exists($this, $name)) {
            return $this->$name(...$arguments);
        }
        echo "Called undefined method: $name";
    }
}

Malicious input can trigger unintended logic.

How to Fix: Use an Allow‑List Mapping

The simplest mitigation is never use raw user input as a method name . Instead, map allowed actions to predefined safe methods.

$action = $_GET['action'] ?? '';
$map = [
    'index'  => 'showIndex',
    'store'  => 'storePost',
    'update' => 'updatePost',
    'delete' => 'deletePost',
];
if (!isset($map[$action])) {
    http_response_code(404);
    exit('Invalid operation');
}
$controller = new PostController();
$controller->{$map[$action]}();

User can only supply values like 'index' or 'store'.

These map to safe methods such as showIndex.

Invalid inputs return a 404 response.

Additional Tips

Validate callability: Use is_callable([$controller, $method]) before invoking.

Avoid combining __call with user input: If you must use it, ensure it never processes user‑controlled data.

Type safety: In PHP 8+ leverage typed properties and signatures.

Testing: Write unit tests that simulate malicious inputs and verify they do not trigger unexpected methods.

Conclusion

Dynamic method calls are powerful in PHP, but when they accept user input they become a double‑edged sword. By employing an allow‑list mapping and the additional safeguards above, you can eliminate these risks while keeping your code clean and maintainable.