This question already has answers here:
Closed 9 years ago.
Possible Duplicates:
When (if ever) is eval NOT evil?
when is eval evil in php?
Since I found no other way of executing a string from an external file as code, I resorted to utilizing eval(). I am not asking about any code in particular, since examples in my use-case scenario would be trivial - what I want to know is what are the dangers of using eval in php code.
I did some research on the subject, but I couldn't find any answer that would satisfy my curiosity. All I was able to find were things like "execution of malicious code", "abusive injections" etc. No examples, and no detailed explanations on why is this such a bad practice.
Anyone care to answer this a little bit more in-depth?
Thanks.
Check out these previous questions:
When is eval() evil in PHP?
When (if ever) is eval() NOT evil?
For the problems, see this link:
http://www.google.com/search?q=php+why+eval+is+bad
But you shouldn't need to use eval. Developers really should act as if eval doesn't exist. Perhaps you could explain your situation more clearly? Questions such as where you are getting the code file, why you can't use include, etc.
As long as you can trust the source of the code you call with eval() you will be safe.
If random users are providing the strings you call eval() on, then you are at risk of someone providing you evil strings like this:
exec("rm -rf /");
Your eval will happily run this string, and depending on permissions it will delete everything on your filesystem.
If you are evaling server-side code that you (or someone you trust) wrote that is not publicly accessible then that is no more dangerous than executing regular PHP code. The problem comes when you depend on user input to do the eval since it can be malicious.
