urlencode () excites me a bit. Although it would probably be safe, I would have a more rigorous understanding. I would only allow letters, numbers, and underscores. In fact, you do not need class or method names with other characters. I do not think I've ever seen.
I use this for A LOT of things in all my projects:
function very_safe_string( $string ) { return preg_replace("/[^A-Za-z0-9_]/" , '' , $string); }
And, as mentioned in other posters, you definitely need some kind of whitelist to explicitly allow (for classes, at least since I'm sure that not every class should be accessible from ajax). We also check class_exists () and method_exists ().
I would also recommend a message type reminder system if any of these checks failed. I am sure you would like to know if someone is trying hax0r j00.
source share