Comments on: Eval is dead! Long live Eval!

By: Jim

Jim — Sun, 06 Apr 2008 14:21:28 +0000

Thanks. Zend Form looks like it might have the potential to what I need to do, though I’m not sure there is any open ended conditional (haven’t looked extensively enough).

Pre-written packages aside, I’d be curious to know what PHP function alternatives there are, and how someone can get around something like addslashes(). For example the system call injection didn’t work (of course, I didn’t test using that exact system call) when I used addslashes.

Thanks - Jim

By: Lachlan

Lachlan — Sun, 06 Apr 2008 11:24:00 +0000

Hi Jim,

The cardinal sin with eval is letting it anywhere near user data. With that system you could very easily end up with a bug that resulted in users being able to inject php into your system, for instance by making %x=”system(’rm -rf /’); 20′.

It looks like you have a straight-up validation problem, something solved by WACT’s form validation library (http://www.phpwact.org/wact/form_validation), or Zend or Symphony. Basically you want to move all of those snippets of eval’d code into small, light objects which you use to validate your user data.

By: Jim

Jim — Sun, 06 Apr 2008 05:50:48 +0000

What I am using eval() for is to do error checking based on some comparison/condition/whatever that is determined when calling the error checking function.

In other words, I would call check_error($user_input,$formula). And then I can have the conditional formula be something like “%x > 10″ or “strtoupper(%x)==\”ABC\”"… And %x is replaced with $user_input. Totally arbitrary examples, but the point is I as the programmer using the function need full latitude in choosing the conditional formula.

How else can I do this other than by using eval()? And what is the best way to cleanse the user input?

Thanks - Jim

By: iDownload

iDownload — Tue, 09 Oct 2007 17:24:02 +0000

Very interesting. But completely disable eval it’s not a good idea. It must be the way to limit it functionality using black and white list of functions. I am searching for it now… have anybody idea how to do that?

By: ma214zda

ma214zda — Tue, 25 Sep 2007 01:23:53 +0000

c749t

By: sina salek

sina salek — Sat, 01 Jul 2006 11:01:33 +0000

i usually use eval to craete complicated classes. it really decrease number of codes, and help to make inherit from main class easily and with less code.
but the big problem is, eval is really slow with loops.

By: C~

C~ — Tue, 04 Apr 2006 19:24:26 +0000

I used Eval for dynamically loading code into an ircbot i wrote. As all the modules had to be classes there didn’t seem to be a way to add functions to existing classes so i had to use Eval to creat a new class and kinda add it to my existing one.

By: sadi

sadi — Mon, 29 Aug 2005 11:00:14 +0000

I faced a of problem using eval() with javascrip. If there are php or
simple HTML code then eval is simply ok with me.But when ever i have
to deal with javascript i always found myself in shit. Can anyone
give me any way to use javascript contained code in eval()?I am
running behind my time in my project

By: SitePoint Blogs » Blog Archive » How Readable is Your PHP?

SitePoint Blogs » Blog Archive » How Readable is Your PHP? — Thu, 25 Aug 2005 05:09:05 +0000

[…] One of the entries is titled Every variable should start somewhere. In a previous blog post, I mentioned how frustrating it was to be trying to read some code and asking yourself, ‘Where does this variable come from?!’. Alan labels PHP language constructs such as extract and eval as ‘evil’ because they disguise and obfuscate code. That isn’t news. However he makes a valid point–that using these types of shortcuts is not a security problem in itself–the security problem occurs when your code is too hard to understand and you inadvertently introduce additional problems. […]

By: joshie

joshie — Wed, 31 Dec 1969 19:00:00 +0000

allowing dynamic content to be stored in a blog or other cms entry, or page template. (for instance, breadcrumb links in a template page)