JavaScript disabled

While it will still mostly work, a lot of this site's functionality relies on JavaScript - please enable it for the best experience.

Using eval() properly

eval() is a PHP function that allows the user to execute a string as PHP code:

eval('echo "Hello World!";');

That will output "Hello World!" (obviously).

Pretty simple?

Not quite. It can provide some interesting security holes, to the extent that I have seen a LOT of people saying that eval() should never be used.

"If eval() is the answer, you're almost certainly asking the wrong question" – Rasmus Lerdorf, creator of PHP

In all fairness to them, eval() can be a huge security problem if used wrong. For example:

<?php

$food = array(
    'sweet'     => 'apple',
    'sour'      => 'lemon',
    'spicy'     => 'chili',
);

$myfood = $_REQUEST['food'];

eval('echo "You asked for " . $food[\'' . $myfood . '\'];');

That's a pretty stupid use of eval, but I have seen similar more than once. That code is vulnerable; for example, if we go to:

thatfile.php?food=' . `rm -rf *` . '

I've just deleted all your files. Okay, it's not that easy, but you can kind of see how it works. Two ways of stopping this: You can either insert some validation on line 10 like this:

if (!isset($food[$myfood])) {
    die('Sorry, we do not have this food');
}

Or you can stop using eval! It's not difficult to NOT use eval for this.

Always be careful when using eval. If it is compromised, it can be extremely bad for you and your site (especially if you have stuff like exec() enabled).

 

So some people will be saying: where SHOULD eval be used? Here are a couple examples:

I can't think of any others. Anyone got any?

About Callum Macrae:

Callum Macrae is the founder of lynx.io and a JavaScript developer from the United Kingdom. He is currently writing his first book, to be published by O'Reilly Media.

You can view more articles by this author here.

Tags: php eval security

Comments

Jacob says:

mod_evasive for Apache is also very handy to utilise during a DDOS attack.

says:

Add comment

 

You can use markdown in comments (press "m" for a cheatsheet).

Enable JavaScript to post a comment

Markdown Cheat Sheet

# This is an <h1> tag
## This an <h2> tag
###### This is an <h6> tag

Inline markup: _this text is italic_, **this is bold**, and `code()`.

[Link text](link URL "Optional title")
[Google](http://google.com/ "Google!")

![Alt text](image URL)

![This is a fish](images/fish.jpg)

1. Ordered list item 1
2. Ordered list item 2

* Unordered list item 1
* Unordered list item 2
* Item 2a
* Item 2b

And some code:

// Code is indented by one tab
echo 'Hello world!';

Horizontal rules are done using four or more hyphens:

----

> This is a blockquote

This is an <h1> tag

This an <h2> tag

This is an <h6> tag

Inline markup: this text is italic, this is bold, and code().

Link text Google

This is a fish

  1. Ordered list item 1
  2. Ordered list item 2
  • Unordered list item 1
  • Unordered list item 2
    • Item 2a
    • Item 2b

And some code:

// Code is indented by one tab
echo 'Hello world!';

Horizontal rules are done using four or more hyphens:

This is a blockquote

Toggle MarkDown / HTML (t), full reference or close this