Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What situations demand the use of eval() because there are no alternatives?

Tags:

performance

php

eval

I know eval should be avoided in JavaScript for speed and security reasons. But in the case of PHP, rarely is security ever mentioned. More often, it's your program running slower than it should because of a haphazard use of eval.

In what specific situations should you use eval because there is no other way around it?

For clarity:

We're not talking about user-supplied data. So the question is focused on pure and fully-controlled server-side valid use of eval.

like image 845
user281373 Avatar asked Feb 25 '10 17:02

user281373

2 Answers

The security problems of eval-uating code with eval in PHP are the same as in Javascript : if you evaluate some code, you've got to be sure where it comes from, and what it contains.

The security implications might even be greater, as PHP has access to your database (amongst other things) -- which means it can be used to steal/corrupt almost avery informations your application relies on !

In Javascript, they say that "eval is evil" ; it's probably as true in PHP that it's true in Javascript.


Now, about specific situations in which you cannot avoid using eval... Well, in something like 4 years of developping in PHP as my every-day job, I don't remember having ever used eval in my own code ^^

Still, and example of situation where you need eval would be when you are storing some code in database, for instance, and not caching it in files (which could be included) -- that happens with some CMS that allow portions of PHP code to be typed in the administration section, for instance.

like image 152
Pascal MARTIN Avatar answered Nov 11 '22 11:11

Pascal MARTIN

Eval and create_function may allow arbitary code injection. There are a lot of things in PHP that can be used to compromise the security of your application.

We tell kids not to play with knives and matches - but these are useful (if not essential) tools when used correctly. So it is with a lot of PHP's functionality. There's nothing intrinsically wrong with using the functionality as long as you understand exactly what you are doing.

But a discussion of programming languages at such an abstract level is not what StackOverflow is about.

C.

like image 32
symcbean Avatar answered Nov 11 '22 11:11

symcbean
Sign in to Comment

Related questions

Composer always runs into "Allowed memory size of 1610612736 bytes exhausted" - on server as well as local
WebSVN with VisualSVN Server, anyone gotten authentication to work?
Is this a reasonable way to handle getters/setters in a PHP class?
Can we hack a site that just stores the username as a session variable?
Cache AJAX requests
Best method for Flex to PHP communication?
PHP/MySQL: Select locations close to a given location from DB
mysql time and php time not the same
Blog in CodeIgniter : Where Does the Model start, and the Controller End?
Instantiating child classes from parent class (PHP)
PHP & Hash / Fragment Portion of URL
Where should form validation occur in a MVC project?
Which PHP framework is most like Ruby on Rails?
Which tokens can be parameterized in PDO prepared statements?
Zend Framework - multiplate navigation blocks
cURL really slow
Calculating Great-Circle Distance with SQLite
How to deal with strange rounding of floats in PHP
how to get returned text from a php page
How to implement flyweight pattern in php?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!