5

I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.

$code = eval($_POST["phpusercode"]);
echo $code;

What I want to do is when a user will make a function like this

I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.

Waqas Tahir
  • 7,171
  • 5
  • 25
  • 47
  • 1
    `to display` -- no. `to execute` -- yes – sectus Jul 02 '14 at 09:04
  • You can ask the people of http://writecodeonline.com/php/ how they did it perhaps, this discussion would lead way too far considering all the involved security risks. – Blizz Jul 02 '14 at 09:07

1 Answers1

4

eval evaluates code, so, as @sectus says in comments, execute the code

For example:

eval ("echo 'Hello user'"); //This will execute echo 'Hello user'

So, in your case i think you don't want to execute your user code, so please carify your question and update it.

IMPORTANT:

  • Use of eval is highly discouraged
  • NEVER EVER use eval with params by POST/GET without sanitize them

Useful links:

When eval is evil

Avoid SQL injection

Community
  • 1
  • 1
Sal00m
  • 2,938
  • 3
  • 22
  • 33
  • 1
    Just for quick reminder; POST and GET are not only user controlled variables. You should check out COOKIE and all other http header parameters. – Mehmet Ince Jul 02 '14 at 14:22