Can someone execute a php function in my library but not called on the viewed page?

Let's say I have a php file, test.php with 2 functions: test1() and test2().

If I have an external php file, index.php, with include(test.php) in its code. If in the index.php file has a reference to test1开发者_开发技巧() but not test2(), is there any way that someone would be able to execute test2() by doing something malicious while using the index.php file?

The only way they could execute arbitrary code is through a code injection vulnerability.

Here's an oversimplified example:

<?php

$runthis = $_GET["runthis"];

$runthis();

So an attacker could invoke your script as http://example.com/index.php?runthis=test2 and then it would run your test2() function.

Read more about code injection at the wikipedia article I linked to above, or at the OWASP site.

When you say "using", do you mean like an end user in their browser? No, they can't run arbitrary code.