Eval(), what's the point?

Question

The Official Documentation regarding eval() as function, says:

Among other things, this can be useful for storing code in a database text field for later execution.

I'm seriously confused about that. Is PHP Documentation suggesting to store PHP lines into databases? What? Isn't that something freaking unsafe?

What if i know that in the database there's a string that is executed as PHP? Isn't that extremely dangerous? I just need of an Sql injection to do whatever i want to that site, whatever i want. I can delete the entire database, i can get everything from the script, i can do everything.

How can this be so helpful?

Could you please provide me some examples on how this eval() can be usefull? Also, i am probably missing something, why have i seen some codes like:

eval("if (is_int($int)) { return false }");

instead of just

if (is_int($int)) { return false }

But, as i said, i am probably missing something: what?

Answer 1

The eval() function is fantastic! People use it all the time to inject code and gain excellent access to servers all the time. You'll often see the use of eval() and that regex function that also executes, among others, in broken WordPress installations.

There are very few reasons why you would need eval. For example, if I were making a PHP testing site where folks could enter some code on a page and then run it. Of course, it would need to be sanitized first, for the very reasons you listed.

Answer 2

Let's say you had a CMS that allowed you to type PHP code. I can see using the eval function to evaluate that PHP snippet. Javascript also has eval for the same reason.

All reasons aside, eval is very unsafe. I agree it should never be used.