Geek Answers Handbook

Eval (), what's the point?

The official documentation regarding the eval() function as, says:

Among other things, this can be useful for storing code in the text field of the database for subsequent execution.

I am seriously confused by this. Is the PHP documentation suggest storing PHP strings in databases? What kind? Isn't that something awkward?

What if I know that the database has a string that runs like PHP? Isn't that very dangerous? I just need an Sql injection to do what I want on this site , what I would like . I can delete the entire database, I can get everything from the script, I can do everything.

How can this be so helpful?

Could you give some examples of how this eval() can be useful? Also, I probably missed something, why I saw some codes like:

 eval("if (is_int($int)) { return false }");

instead

 if (is_int($int)) { return false }

But, as I said, I probably missed something: what?

+6
eval php
source share
6 answers

The eval() function is fantastic! People use it all the time to enter code and get excellent access to servers all the time. You will often see the use of eval() and this regular expression function, which also runs, in particular, in broken WordPress installations.

There are very few reasons why you will need eval. For example, if I created a PHP testing site where people could enter some code on a page and then run it. Of course, first it will need to be disinfected, for the reasons that you indicated.

+7
source share

Say you had a CMS that allowed you to enter PHP code. I can see using the eval function to evaluate this PHP fragment. Javascript also has eval for the same reason.

All reasons aside, eval is very dangerous. I agree that it should never be used.

+4
source share

Yes, it can be very dangerous. One place I saw was a system that allowed a very complex search screen configuration and allowed users to save search configs. Search details were saved as actual code that was executed as eval. The inputs were stored separately and checked (to some extent, I don't know the details) to prevent SQL injection. This is the only time I have seen this, and it probably was not necessary (although I have never seen enough information about this system to know for sure).

eval() potentially useful when you don’t know what code needs to be executed before execution (for example, the example I gave above), but these cases are not the case that happens every day for most developers. If you ever come across a situation in which you need eval() , try to make sure that you never pass it to the user. Even better, if you can find a way to limit (to some extent) the code that will be passed to it, but that will depend on the problem.

+3
source share

Could you give some examples of how this eval () can be useful?

Used, for example, by patterns. They analyze and compile templates into PHP code and can either store the code anywhere, or execute it directly using eval() .

It is also a dangerous feature.

+2
source share

It's good that this is unsafe, you still need to sanitize your code.

However, it is not intended to evaluate expressions entered by users or by any other means, such as from a database.

I found this useful when the language does not provide metaprogramming. So, for example, you need to fill the bean with 50 fields that are called the same, but with a slight difference in the method name, such as a number (suppose it has field1 (), field2 (), field3 () ... etc. etc.), you can use eval inside a for: to construct the method name as a string, and then call it.

That way you can convert 100 repeating lines of code to 5, just a couple more if you want to add documentation on how this works. This is unsafe because no one is touching your code here.

+1
source share

You might have something like

 $text = 'This is some random number: $number. Hello world!'; ... $number = 15; ... eval ("\$replacedText = \"$text\";");

In the text, eval $ will be replaced with "This is a random number: $ number. Hello world!", And eval will guarantee that $ number will also be replaced with 15

0
source share

More articles:


All Articles