When is eval evil in php?
I would be cautious in calling eval() pure evil. Dynamic evaluation is a powerful tool and can sometimes be a life saver. With eval() one can work around shortcomings of PHP (see below).
The main problems with eval() are:
- Potential unsafe input. Passing an untrusted parameter is a way to fail. It is often not a trivial task to make sure that a parameter (or part of it) is fully trusted.
- Trickiness. Using eval() makes code clever, therefore more difficult to follow. To quote Brian Kernighan "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it"
The main problem with actual use of eval() is only one:
- Inexperienced developers who use it without enough consideration.
As a rule of thumb I tend to follow this:
- Sometimes eval() is the only/the right solution.
- For most cases one should try something else.
- If unsure, goto 2.
- Else, be very, very careful.
Is return eval evil?
You can easily invoke an arbitrary function (to be more precise - an arbitrary expression) there:
$userSetting = 'userSetting && print(123)';
This would work in all (?) php versions.
With php7 it becomes even more convenient since you can call an anonymous function in-place:
$userSetting = 'userSetting && (function() { do whatever you want })();';
When (if ever) is eval NOT evil?
Eric Lippert sums eval up over three blog posts. It's a very interesting read.
As far as I'm aware, the following are some of the only reasons eval is used.
For example, when you are building up complex mathematical expressions based on user input, or when you are serializing object state to a string so that it can be stored or transmitted, and reconstituted later.
Risks of using PHP eval
Check out these previous questions:
When is eval() evil in PHP?
When (if ever) is eval() NOT evil?
Evaluate string as condition PHP
Well, executing arbitrary strings as code has the caveat that you're executing arbitrary code whichever way you do it. There's no better alternative to eval
that would let you execute PHP code without… executing PHP code.
The sane way to go here is to define a DSL which gives your users a way to write certain limited expressions which are not PHP code, which you will parse and evaluate with specific limited capabilities.
A good library which does that is Symfony's ExpressionLanguage component. Beyond that you'd go into the domain of language parsers.
Is it safe to use eval?
Yes, there is nothing that can be done with that input that is unsafe. So long as you check as follows:
if( preg_match("([^0-9*/+().<>=-])",$input)) die("Invalid input");
Then you will be fine. However, be aware that the input must be syntactically correct. Something like >><>>><><>>>>>
would pass the check, but cause an error. You should wrap a try..catch
block around your eval
.
Ideally, however, this should really be handled in JavaScript if you can. It's okay to use eval
on the user's own provided data.
Eval in PHP and security measures , Creating a PHP demo editor
eval
evaluates code, so, as @sectus says in comments, execute the code
For example:
eval ("echo 'Hello user'"); //This will execute echo 'Hello user'
So, in your case i think you don't want to execute your user code, so please carify your question and update it.
IMPORTANT:
- Use of
eval
is highly discouraged - NEVER EVER use
eval
with params byPOST/GET
without sanitize them
Useful links:
When eval is evil
Avoid SQL injection
Related Topics
Contact Form 7 Cause Http 500 Error
Php Passing Variable Id Through Href
Symfony: an Exception Occured in Driver: Could Not Find Driver With MySQL
Find Combination(S) Sum of Element(S) in Array Whose Sum Equal to a Given Number
Laravel: Property [Name] Does Not Exist on This Collection Instance
Update Database After Select Option Change
Apache Virtual Host Always Redirecting to /Dashboard
Laravel - Getting Current Month and Year Only
How to Compare Comma Separated Ids on Left Join
How to Install Extension for PHP Via Docker-Php-Ext-Install
How to Fix "Headers Already Sent" Error in PHP
How to Parse and Process Html/Xml in PHP
How to Deal With MySQLi Problems - MySQLi_Fetch_Array(): Argument #1 Must Be of Type MySQLi_Result
How to Extract and Access Data from Json With PHP
How to Get the Sucess Message in the Same Page After Submitting the Contact Form