Let's say you had a CMS that allowed you to type PHP code. I can see using the eval function to evaluate that PHP snippet. Javascript also has eval for the same reason.

All reasons aside, eval is very unsafe. I agree it should never be used.

Could you please provide me some examples on how this eval() can be usefull?

It is used by template engines, for example. They parse and compile templates to PHP code, and can either store the code to any location, or execute it directly with eval().

Other than that, it is a dangerous feature.

Yes, it can be very dangerous. One place I've seen it used was a system that allowed a very complex configuration of a search screen, and allowed users to save the search configs. The details of the search were saved as actual code that was executed as eval. The inputs were stored separately and were checked (to some degree, I don't know the details) to prevent against SQL injection. That's the only time I've seen that done, and it probably wasn't necessary (though I never saw enough of this system to know for sure).

eval() is potentially useful when you don't know what code will need to execute until runtime (like the example I gave above), but these cases are not the sort of thing that happen every day for most developers. If you ever do run into a situation where you need an eval(), just try to make sure you never directly pass it input from the user. Better still if you can find a way to constrain (to some degree) the code that will be passed in to it, but this will depend on the problem at hand.

The eval() function is fantastic! People use it all the time to inject code and gain excellent access to servers all the time. You'll often see the use of eval() and that regex function that also executes, among others, in broken WordPress installations.

There are very few reasons why you would need eval. For example, if I were making a PHP testing site where folks could enter some code on a page and then run it. Of course, it would need to be sanitized first, for the very reasons you listed.

Well it is unsafe indeed, you have to sanitize your code anyways.

However it is not intended to evaluate expressions introduced by users or any other means such as from DB.

I've found it usefull when the language does not provide metaprogramming. So for example you need to fill a bean with 50 fields that are called the same but with a small difference in the method name such as a number (imagine it has field1(), field2(), field3() ... etc), then you can use the eval inside a for: construct the method name as a string and then call it.

This way you can convert 100 repetitive lines of code in 5, a couple more if you want to add documentation on how it works lol. It is not unsafe because nobody elses touches your code here.

You can have something like

$text = 'This is some random number: $number. Hello world!';
...
$number = 15;
...
eval ("\$replacedText = \"$text\";");

In the eval $text would be replaced by "This is some random number: $number. Hello world!", and eval makes sure that $number is also replaced by 15