Results 1 to 3 of 3

Thread: [RESOLVED] PHP's eval() construct safety question

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Jun 2008
    Posts
    1,023

    Resolved [RESOLVED] PHP's eval() construct safety question

    The way people talk about eval, makes it seem like eval is supposed to be avoided, and to be used under no circumstance. So what makes this construct any different from using mysql queries?

    Can a sanitized string cause eval to execute a malicious code? How do I prevent users from hacking, if I use eval? I'm starting to worry, because I'm working on a project, and for some of the functions in this project, there doesn't seem to be any other alternative to eval. (evaluating a string of numbers such as "4+3" and return the value of that string)

    Is there anything I need to be cautious about other than sanitizing user input?

  2. #2
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: PHP's eval() construct safety question

    Not really... as long as your validation is OK.
    The reason eval is discouraged in web-facing code is because it adds a large attack surface which can be exposed if there is any kind of bug in your validation code. It can be hard to get validation right, and 9 times out of 10 there is a safer way (write your own routine instead of using eval). But that's not to say that this isn't the 10th time.

  3. #3

    Thread Starter
    Fanatic Member
    Join Date
    Jun 2008
    Posts
    1,023

    Re: PHP's eval() construct safety question

    Thanks for the reply. That pretty much answered my questions. I'm going to mark this as resolved now. I will use eval for now, but later I will see if I can write my own routine as you suggested. I'm still only working on the prototype, so this won't be an issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width