When Is Eval Evil in PHP

When is eval evil in php?

I would be cautious in calling eval() pure evil. Dynamic evaluation is a powerful tool and can sometimes be a life saver. With eval() one can work around shortcomings of PHP (see below).

The main problems with eval() are:

  • Potential unsafe input. Passing an untrusted parameter is a way to fail. It is often not a trivial task to make sure that a parameter (or part of it) is fully trusted.
  • Trickiness. Using eval() makes code clever, therefore more difficult to follow. To quote Brian Kernighan "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it"

The main problem with actual use of eval() is only one:

  • Inexperienced developers who use it without enough consideration.

As a rule of thumb I tend to follow this:

  1. Sometimes eval() is the only/the right solution.
  2. For most cases one should try something else.
  3. If unsure, goto 2.
  4. Else, be very, very careful.

Is return eval evil?

You can easily invoke an arbitrary function (to be more precise - an arbitrary expression) there:

$userSetting = 'userSetting && print(123)';

This would work in all (?) php versions.

With php7 it becomes even more convenient since you can call an anonymous function in-place:

$userSetting = 'userSetting && (function() { do whatever you want })();';

When (if ever) is eval NOT evil?

Eric Lippert sums eval up over three blog posts. It's a very interesting read.

As far as I'm aware, the following are some of the only reasons eval is used.

For example, when you are building up complex mathematical expressions based on user input, or when you are serializing object state to a string so that it can be stored or transmitted, and reconstituted later.

Risks of using PHP eval

Check out these previous questions:

When is eval() evil in PHP?

When (if ever) is eval() NOT evil?

Evaluate string as condition PHP

Well, executing arbitrary strings as code has the caveat that you're executing arbitrary code whichever way you do it. There's no better alternative to eval that would let you execute PHP code without… executing PHP code.

The sane way to go here is to define a DSL which gives your users a way to write certain limited expressions which are not PHP code, which you will parse and evaluate with specific limited capabilities.

A good library which does that is Symfony's ExpressionLanguage component. Beyond that you'd go into the domain of language parsers.

Is it safe to use eval?

Yes, there is nothing that can be done with that input that is unsafe. So long as you check as follows:

if( preg_match("([^0-9*/+().<>=-])",$input)) die("Invalid input");

Then you will be fine. However, be aware that the input must be syntactically correct. Something like >><>>><><>>>>> would pass the check, but cause an error. You should wrap a try..catch block around your eval.

Ideally, however, this should really be handled in JavaScript if you can. It's okay to use eval on the user's own provided data.

Eval in PHP and security measures , Creating a PHP demo editor

eval evaluates code, so, as @sectus says in comments, execute the code

For example:

eval ("echo 'Hello user'"); //This will execute echo 'Hello user'

So, in your case i think you don't want to execute your user code, so please carify your question and update it.

IMPORTANT:

  • Use of eval is highly discouraged
  • NEVER EVER use eval with params by POST/GET without sanitize them

Useful links:

When eval is evil

Avoid SQL injection



Related Topics



Leave a reply



Submit