Preventing Accidental class/function calls

[eluser]mugabesdub[/eluser]
I am new to CI and this may have been already addressed in the CI documentation in which I am yet to finish completely.
So forgive my ignorance if it is.
Since CI url structure is class/function/id, an unknown user could play around with various possible class/function/id possibilities and attempt to call up a function not meant to be called directly, and compromise the website.

Does anyone have any ideas or methods to prevent this from happening?

I could come up with my own methods but I thought I would get some ideas before embarking upon that task. Thanks for any responses.

[eluser]Yorick Peterse[/eluser]
Depending on what you want, you could do something like the following:

Code:

<?php

function index() {
   // This function can be called without trouble
}

private function foo() {
   // This function can only be called by other functions that are in the same class
}

function cookies() {
   // This function can only be called with a $_POST method
   if($_POST) {
      // Do something
   }
   else {
      // Do something else....
   }
}
?>

[eluser]mugabesdub[/eluser]
Okay, yeah, doh! Didn't think of that. Great idea!

A seven letter word works the magic.

Thanks!

[eluser]pistolPete[/eluser]
From the user guide:

Private Functions

In some cases you may want certain functions hidden from public access. To make a function private, simply add an underscore as the name prefix and it will not be served via a URL request. For example, if you were to have a function like this:

Code:

function _utility()
{
  // some code
}

Trying to access it via the URL, like this, will not work:
example.com/index.php/blog/_utility/

[eluser]mugabesdub[/eluser]
Another Great Idea! Thank you pistolPete.

[eluser]Jondolar[/eluser]
This was a great question to ask. I actually never thought of that possibility (new to CI too) nor did I evaluate the impact to the application if that was done. Thanks for the answers mugabesdub and pistolPete.

Now I have to figure out which method is "better"

[eluser]depthcharge[/eluser]
[quote author="pistolPete" date="1243647143"]From the user guide:

Private Functions

In some cases you may want certain functions hidden from public access. To make a function private, simply add an underscore as the name prefix and it will not be served via a URL request. For example, if you were to have a function like this:

Code:

function _utility()
{
  // some code
}

Trying to access it via the URL, like this, will not work:
example.com/index.php/blog/_utility/

[/quote]

This way of doing things is more compatible, working with both versions 4 and 5 of PHP.

:-)

[eluser]Tom Schlick[/eluser]
the best solution is not to put those critical things into a controller. and always VALIDATE EVERYTHING a user submits. if you do that you shouldnt have to worry that much

[eluser]Jondolar[/eluser]
[quote author="trs21219" date="1243678529"]the best solution is not to put those critical things into a controller. and always VALIDATE EVERYTHING a user submits. if you do that you shouldnt have to worry that much[/quote]

In this case, the controller function would be called prior to any validation you would do. I think the best case would be to use the underscore for any "private" function.