B.1. eval( )The eval( ) function is used for evaluating a string as PHP. For example: <?php $name = 'Chris'; $string = 'echo "Hello, $name";'; eval($string); ?> This executes $string as if it were PHP, so this is equivalent to the following: <?php $name = 'Chris'; echo "Hello, $name"; ?> While useful, eval( ) is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code: <?php $name = $_GET['name']; eval($name); ?> I recommend that you avoid using eval( ) when possible and when you cannot ensure that you never use tainted data in the construction of a string to be interpreted as PHP. This function is a good candidate for inspection during a security audit or peer review. |