-
Jun 6th, 2015, 01:32 PM
#1
Thread Starter
Fanatic Member
[RESOLVED] PHP's eval() construct safety question
The way people talk about eval, makes it seem like eval is supposed to be avoided, and to be used under no circumstance. So what makes this construct any different from using mysql queries?
Can a sanitized string cause eval to execute a malicious code? How do I prevent users from hacking, if I use eval? I'm starting to worry, because I'm working on a project, and for some of the functions in this project, there doesn't seem to be any other alternative to eval. (evaluating a string of numbers such as "4+3" and return the value of that string)
Is there anything I need to be cautious about other than sanitizing user input?
-
Jun 7th, 2015, 08:13 AM
#2
Re: PHP's eval() construct safety question
Not really... as long as your validation is OK.
The reason eval is discouraged in web-facing code is because it adds a large attack surface which can be exposed if there is any kind of bug in your validation code. It can be hard to get validation right, and 9 times out of 10 there is a safer way (write your own routine instead of using eval). But that's not to say that this isn't the 10th time.
-
Jun 8th, 2015, 01:18 AM
#3
Thread Starter
Fanatic Member
Re: PHP's eval() construct safety question
Thanks for the reply. That pretty much answered my questions. I'm going to mark this as resolved now. I will use eval for now, but later I will see if I can write my own routine as you suggested. I'm still only working on the prototype, so this won't be an issue.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|