0

Possible Duplicates:
When (if ever) is eval NOT evil?
when is eval evil in php?

Since I found no other way of executing a string from an external file as code, I resorted to utilizing eval(). I am not asking about any code in particular, since examples in my use-case scenario would be trivial - what I want to know is what are the dangers of using eval in php code.

I did some research on the subject, but I couldn't find any answer that would satisfy my curiosity. All I was able to find were things like "execution of malicious code", "abusive injections" etc. No examples, and no detailed explanations on why is this such a bad practice.

Anyone care to answer this a little bit more in-depth?

Thanks.

Improve this question
7
  • 1
    Apart from the security concerns, you usually don't need it anyway. What do you want to do? Commented Jan 7, 2011 at 23:36
  • 1
    you wouldn't want to eval anything user supplied. Commented Jan 7, 2011 at 23:37
  • There are quite a number of posts on this subject already which you can find here: stackoverflow.com/search?q=risks+of+php+eval. Including this one here: stackoverflow.com/questions/3499672/…. In short, there's nothing inherently wrong with it if you know for sure the source of the code, but it can be really messy to clean up for other coders. Commented Jan 7, 2011 at 23:39
  • 1
    exact duplicate: stackoverflow.com/questions/951373 Commented Jan 7, 2011 at 23:40
  • I am working on a class that is supposed to generate forms from given JSON configurations. The class isn't really anything complicated, but I wanted to externalize (as in, read from external files) the widgets that would go inside these forms. For example: configuration says that there should be a textbox on a particular place -> class parses this, fetches and evals() the external textbox string (a mix of html and php) and puts it in an array, that stores all the widgets in it. This array is later passed to the controller/view pair for rendering. Lengthy, and I appologize for that. :) Commented Jan 7, 2011 at 23:41

4 Answers 4

Reset to default
2

Check out these previous questions:

When is eval() evil in PHP?

When (if ever) is eval() NOT evil?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

IMHO it's better to post this as a comment to the question (since these are duplicates)...
@ChristopheD: You're probably right - Thanks.
0

For the problems, see this link:

http://www.google.com/search?q=php+why+eval+is+bad

But you shouldn't need to use eval. Developers really should act as if eval doesn't exist. Perhaps you could explain your situation more clearly? Questions such as where you are getting the code file, why you can't use include, etc.

Improve this answer

Comments

0

As long as you can trust the source of the code you call with eval() you will be safe.

If random users are providing the strings you call eval() on, then you are at risk of someone providing you evil strings like this:

exec("rm -rf /");

Your eval will happily run this string, and depending on permissions it will delete everything on your filesystem.

Improve this answer

Comments

0

If you are evaling server-side code that you (or someone you trust) wrote that is not publicly accessible then that is no more dangerous than executing regular PHP code. The problem comes when you depend on user input to do the eval since it can be malicious.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.