Section B.1. eval( )

Previous page
Table of content
Next page

B.1. eval( )

The eval( ) function is used for evaluating a string as PHP. For example:

     <?php     $name = 'Chris';     $string = 'echo "Hello, $name";';     eval($string);     ?>

This executes $string as if it were PHP, so this is equivalent to the following:

     <?php     $name = 'Chris';     echo "Hello, $name";     ?>

While useful, eval( ) is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code:

     <?php     $name = $_GET['name'];     eval($name);     ?>

I recommend that you avoid using eval( ) when possible and when you cannot ensure that you never use tainted data in the construction of a string to be interpreted as PHP. This function is a good candidate for inspection during a security audit or peer review.



Previous page
Table of content
Next page
Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Chris Shiflett
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Documenting Software Architectures: Views and Beyond
Postfix: The Definitive Guide
Cisco Voice Gateways and Gatekeepers
802.11 Wireless Networks: The Definitive Guide, Second Edition
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy