Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Does eval() == evil

Status
Not open for further replies.
Itshim

Itshim

Programmer
Apr 6, 2004
277
US
This is more of an opinion question that an actual coding problem...

When I was first learning PHP I came across some material which said to always avoid using eval() whenever possible; because of the obvious security risks if you are not extremely careful.

There were times in the past when eval() looked pretty tempting, but I always looked for another solution to accomplish the same task, and have always been successful.

I've been using PHP for about 5 years (last 2 years full time) and I have never used eval() in an application. I honestly believe I have never even typed the function in while fooling around with scripts. Now, I understand I'm not writing any ground breaking code so there maybe situations which warrant its use, I just haven't come across them.

So my question is; should one avoid eval() like an ASP programmer avoids the truth? :)

[just kidding about the ASP programmer, I don't want to ruffle any feathers out there.]
 
Sort by date Sort by votes
I've always considered eval() to be if not evil, then at least something to be strongly avoided. Elseif is evil.

I don't know of any specific references that touch on the security aspects, but it seems to me the most likely time someone will use eval() is when you are executing user input. This opens up a realm of possibilities for getting one's site trashed.




Want the best answers? Ask the best questions! TANSTAAFL!
 
Upvote 0 Downvote
elseif is only evil when misused, which is, 98.72% of the time according the AP.

eval is pretty much the same, except the percentages jump to just over 99!

It has it's place, code generation being the only one that comes to mind immediately, but it's dangerous and should pretty much always be avoided when the discussion centers around user input.
 
Upvote 0 Downvote
MJB3K said:
so why create that function for php?
Click to expand...
After posting this thread I tried searching for a legatimate example of eval().

By legatimate I mean an example of code that could only be achieved using the function and something that was not contrived. I found several real world examples of it's use in applications, but associated with them I also found rebuttal arguments, or documented exploits of the code. Such as the vBulletin exploit discovered about a year ago.

I also found this quote by Rasmus Lerdorf (creator of PHP):
Rasmus Lerdorf said:
If eval() is the answer, you’re almost certainly asking the wrong question.
Click to expand...

Which I found quite interesting...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cmayo
  • Locked
  • Question
Piping email to PHP - how does PHP read STDIN?
Replies
0
Views
161
cmayo
cmayo
Xsi
  • Locked
  • Question
Could someone explain following stuff for me (eval and functions)
Replies
4
Views
177
Xsi
Xsi
lupidol
  • Locked
  • Question
PHP editing value doesn't fully shows the original value 1
Replies
3
Views
130
vacunita
vacunita
tyutghf
  • Locked
  • Question
what does this code mean
Replies
2
Views
74
ChrisHirst
ChrisHirst
Areal3
  • Locked
  • Question
Validator does not see the added content
Replies
1
Views
88
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top