Do you have to worry about php function security?

I am creating a site that uses classes with functions to modify information in the database, and t开发者_开发技巧o also give information to users, but when users login they have access to the same class and all functions - including ones I don't want them to be able to use. Is there some sort of security problem here?

My thinking is that there wouldn't be since the PHP is interpreted before it even gets to the browser and user, so the only way they would have access to an unauthorized function is if they got access to a page that uses it - but I could protect those pages in another manner to prevent that.

Is my thinking correct, or am I completely off?

Thanks ahead of time for your help!

Think of this: Are there any way a user can invoke one of your functions in a way you don't intend? (Examples could be visiting a certain link, clicking a button or other user interface stuff.)

As you have said, PHP is interpreted on the server. A user can't invoke / touch your source code unless you make it possible.

Important: Even though users can't see the user interface for something doesn't mean it's secure.

If visiting a certain link or submitting a certain form will execute a certain function, hiding the link or form won't solve your problem. A user can still enter the link in their browser, or forge a POST request that executes the action.

You can solve this problem by checking if the current user has privileges to execute a certain action at runtime.

Examples:

if (isUserLoggedIn()) {
    doSomething();
}

if ($user->isAdmin()) {
    doSomething();
}

if ($_SESSION['user']['role'] == 'admin') {
    doSomething();
}

How are your functions called?

If users can not access functions you do not want them to, you are almost there.

Just make sure that they cannot edit any variable in an unintended way...