Is it safe to get user data with code eval("\$name= \"$input\";"), where $input gets from user?

Question

$input = $_GET['name'];
eval("\$name= \"$input\";");

Or it is insecure? Thanks. Without any php functions, like preg_replace or any other, just working with user data as string type with \" when put it to eval function.

If you tell us what exactly you're trying to accomplish, Someone might give you a safe alternative — dustytrash, Sep 28 '18 at 17:45
Possible duplicate of [When is eval evil in php?](https://stackoverflow.com/questions/951373/when-is-eval-evil-in-php) — Nigel Ren, Sep 28 '18 at 18:08

score 3 · Answer 1 · answered Sep 28 '18 at 19:14

3

This basically will allow the user to inject arbitrary code into your application. Think something in the line of

$input=";mysql_query(\"DROP TABLE users\")"

Also eval makes it basically impossible to cache anything but that is a minor consequence.

answered Sep 28 '18 at 19:14

Christoph Grimmer

4,210
4
40
64

Is it safe to get user data with code eval("\$name= \"$input\";"), where $input gets from user?

1 Answers1