•  04-11-2019
  •  | 
  •  

Question

I've come across Twitto, which basically is a web framework that fits in a tweet. It is so short that I can post the code here :

require __DIR__.'/c.php';
if (!is_callable($c = @$_GET['c'] ?: function() { echo 'Woah!'; }))
  throw new Exception('Error');
$c();

It basically searches for a file named c.php and calls whatever function in that files that is the same name as $_GET['c'].

On the project's website, there is a big red banner at the bottom of the page that reads :

» TWITTO IS NOT SECURE, DON'T USE IT FOR YOUR NEXT WEBSITE «

I am no PHP guru, but to me it looks like if you take all the precautions you normally take with a standard PHP site (sanitizing user input, etc), it should be secure enough ?

What is wrong with this tiny framework ?

EDIT : I understand why this framework is not secure AS-IS, but with the proper bootstrapping and validation checks and everything inside the function you call, it should be just as secure as any other framework ?

No correct solution

Licensed under: CC-BY-SA with attribution
scroll top