beats by dre Norge

is it bad practice to use variable variables in php in the following fashion

Yes, this is rather bad practise. Do you need a variable variable for that instance? In other words, do you need more than one class method to be instantiated in a given request? Your URI structure suggests not. If not, you could just use:

$object = new $className();$objects = array();As far as the existence checks for your class in a given directory, this should be a sufficient whitelist (presuming an attacker cannot write to that directory).

EDIT: As a further check, you may want to consider checking method_exists on the object before calling the method.

A couple of pointers, though: your code does have a vulnerability where an attacker could traverse your directory with $_GET parameters like ?class=./base. If that file exists, your file_exists() call will return true and your application will attempt to include it and instantiate it as a class.