B.1. eval( )
The eval( ) function is used for evaluating a string as PHP. For example:
<?php
$name = 'Chris';
$string = 'echo "Hello, $name";';
eval($string);
?>
This executes $string as if it were PHP, so this is equivalent to the following:
<?php
$name = 'Chris';
echo "Hello, $name";
?>
While useful, eval( ) is very dangerous when tainted data is used. For example, if $name is tainted, an attacker can execute arbitrary PHP code:
<?php
$name = $_GET['name'];
eval($name);
?>
I recommend that you avoid using eval( ) when possible and when you cannot ensure that you never use tainted data in the construction of a string to be interpreted as PHP. This function is a good candidate for inspection during a security audit or peer review.
|