Menu
Is PHP's json_decode() secure as opposed to eval()? The eval() function can run code, but does json_decode() do that as well?
932
Since JSON can only represent data, json_decode will not execute php code.
However, just like any other function, the implementation of json_decode could be buggy and allow arbitrary (binary, not (only) php) code execution, for example with a buffer overflow. Due to the relatively simple and widely used code, this is unlikely, and there is nothing you can or should do in a php program to mitigate that.
196
eval() and json_decode() are two different functions, i don't know why you think they are similar. One evaluate a string as PHP code and the other decodes a JSON string. Nothing is executed when json_decode is run.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
