Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When (if ever) is eval NOT evil?

Tags:

php

eval

I've heard many places that PHP's eval function is often not the answer. In light of PHP 5.3's LSB and closures we're running out of reasons to depend on eval or create_function.

Are there any conceivable cases where eval is the best (only?) answer in PHP 5.3?

This question is not about whether eval is evil in general, as it obviously is not.

Summary of Answers:

  • Evaluating numerical expressions (or other "safe" subsets of PHP)
  • Unit testing
  • Interactive PHP "shell"
  • Deserialization of trusted var_export
  • Some template languages
  • Creating backdoors for administers and/or hackers
  • Compatibility with < PHP 5.3
  • Checking syntax (possibly not safe)
like image 271
Kendall Hopkins Avatar asked Aug 17 '10 05:08

Kendall Hopkins

People also ask

Why is it bad to use eval?

Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!

When should you use eval?

Eval function is mostly used in situations or applications which need to evaluate mathematical expressions. Also if the user wants to evaluate the string into code then can use eval function, because eval function evaluates the string expression and returns the integer as a result.

When should you use eval JavaScript?

Definition and Usage The eval() method evaluates or executes an argument. If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.

What can I use instead of eval in JavaScript?

An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().

2 Answers

If you're writing malware and you want to make life hard for the sysadmin who's trying to clean up after you. That seems to be the most common usage case in my experience.

like image 89
tylerl Avatar answered Sep 20 '22 21:09

tylerl

Eric Lippert sums eval up over three blog posts. It's a very interesting read.

As far as I'm aware, the following are some of the only reasons eval is used.

For example, when you are building up complex mathematical expressions based on user input, or when you are serializing object state to a string so that it can be stored or transmitted, and reconstituted later.

like image 23
Russell Dias Avatar answered Sep 17 '22 21:09

Russell Dias
Sign in to Comment

Related questions

PHP GET Request, sending headers
How do I select only the root domain from $_SERVER['HTTP_REFERER'];?
Symfony2: How can I set twig |date("d F, Y") filter to output months in Swedish?
Should I or should I not use getter and setter methods? [closed]
PHP7 installed by Homebrew doesn't work with Apache on macOS
Download CSV file using "AJAX"
CodeIgniter - why use xss_clean
Bing search API and Azure
Reading from comma or tab delimited text file
Which PHP mcrypt cipher is safest?
PHP Regex Any Character
PHP in_array object comparing?
Async curl request in PHP
Laravel Carbon how to change timezone without changing the hour
Getting raw SQL Queries in CodeIgniter 1.7
Sending data along with a redirect in CodeIgniter
visual studio code PHP debugging not working
Anchor in URL when using Symfony's redirect function
Comparing timestamp to current time from database
How to inject dependencies to a laravel job

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!