B.1. eval( )
The eval( ) function is used for evaluating a string as PHP. For example:
<?php $name = 'Chris'; $string = 'echo "Hello, $name";'; eval($string); ?>
This executes $string as if it were PHP, so this is equivalent to the following:
<?php $name = 'Chris'; echo "Hello, $name"; ?>
While useful, eval( ) is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code:
<?php $name = $_GET['name']; eval($name); ?>
I recommend that you avoid using eval( ) when possible and when you cannot ensure that you never use tainted data in the construction of a string to be interpreted as PHP. This function is a good candidate for inspection during a security audit or peer review.