Section B.1. eval( )


B.1. eval( )

The eval( ) function is used for evaluating a string as PHP. For example:

     <?php     $name = 'Chris';     $string = 'echo "Hello, $name";';     eval($string);     ?> 

This executes $string as if it were PHP, so this is equivalent to the following:

     <?php     $name = 'Chris';     echo "Hello, $name";     ?> 

While useful, eval( ) is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code:

     <?php     $name = $_GET['name'];     eval($name);     ?> 

I recommend that you avoid using eval( ) when possible and when you cannot ensure that you never use tainted data in the construction of a string to be interpreted as PHP. This function is a good candidate for inspection during a security audit or peer review.




Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net