I'm trying to create an AJAX script that will take two GET variables, class and method, and map them to methods we've designed (similar to how CodeIgniter acts for ajax, I'm pretty sure). Since I'm relying on user input to determine what class and method to execute I'm worried that there may be some way for a hacker to use that technique to their advantage.

The code:

//Grab and clean (just in case, why not) the class and method variables from GET $class = urlencode(trim($_GET['c'])); $method = urlencode(trim($_GET['m'])); //Ensure the passed function is callable if(method_exists($class, $method)){ $class::$method(); }

Are there any disadvantages or security watch-outs I should be aware of while using this technique?