0

Possible Duplicates:
When (if ever) is eval NOT evil?
when is eval evil in php?

Since I found no other way of executing a string from an external file as code, I resorted to utilizing eval(). I am not asking about any code in particular, since examples in my use-case scenario would be trivial - what I want to know is what are the dangers of using eval in php code.

I did some research on the subject, but I couldn't find any answer that would satisfy my curiosity. All I was able to find were things like "execution of malicious code", "abusive injections" etc. No examples, and no detailed explanations on why is this such a bad practice.

Anyone care to answer this a little bit more in-depth?

Thanks.

Community
  • 1
  • 1
dbozhinovski
  • 523
  • 6
  • 19
  • 1
    Apart from the security concerns, you usually don't need it anyway. What do you want to do? –  Jan 07 '11 at 23:36
  • 1
    you wouldn't want to eval anything user supplied. – dqhendricks Jan 07 '11 at 23:37
  • There are quite a number of posts on this subject already which you can find here: http://stackoverflow.com/search?q=risks+of+php+eval. Including this one here: http://stackoverflow.com/questions/3499672/when-if-ever-is-eval-not-evil. In short, there's nothing inherently wrong with it if you know for sure the source of the code, but it can be really messy to clean up for other coders. – treeface Jan 07 '11 at 23:39
  • 1
    exact duplicate: http://stackoverflow.com/questions/951373 – Jonah Jan 07 '11 at 23:40
  • I am working on a class that is supposed to generate forms from given JSON configurations. The class isn't really anything complicated, but I wanted to externalize (as in, read from external files) the widgets that would go inside these forms. For example: configuration says that there should be a textbox on a particular place -> class parses this, fetches and evals() the external textbox string (a mix of html and php) and puts it in an array, that stores all the widgets in it. This array is later passed to the controller/view pair for rendering. Lengthy, and I appologize for that. :) – dbozhinovski Jan 07 '11 at 23:41
  • @Seiryuu: If it's an external file, why not just use `include`? (Which BTW have the same risks as `eval`) – netcoder Jan 07 '11 at 23:42
  • Just realized that I could do that as well. Thanks again everyone. Will try to search more in-depth next time. – dbozhinovski Jan 07 '11 at 23:47

4 Answers4

2

Check out these previous questions:

When is eval() evil in PHP?

When (if ever) is eval() NOT evil?

Community
  • 1
  • 1
Colin Brock
  • 21,267
  • 9
  • 46
  • 61
0

For the problems, see this link:

http://www.google.com/search?q=php+why+eval+is+bad

But you shouldn't need to use eval. Developers really should act as if eval doesn't exist. Perhaps you could explain your situation more clearly? Questions such as where you are getting the code file, why you can't use include, etc.

Jonah
  • 9,991
  • 5
  • 45
  • 79
0

As long as you can trust the source of the code you call with eval() you will be safe.

If random users are providing the strings you call eval() on, then you are at risk of someone providing you evil strings like this:

exec("rm -rf /");

Your eval will happily run this string, and depending on permissions it will delete everything on your filesystem.

Fragsworth
  • 33,919
  • 27
  • 84
  • 97
0

If you are evaling server-side code that you (or someone you trust) wrote that is not publicly accessible then that is no more dangerous than executing regular PHP code. The problem comes when you depend on user input to do the eval since it can be malicious.

Abdullah Jibaly
  • 53,220
  • 42
  • 124
  • 197