Understanding the Use of Eval Functions and Other Similar Processes

Asked 1 months ago, Updated 1 months ago, 3 views

This is my first post.Thank you.
PHP programming is good
"Eval functions are not available due to security concerns"
I see comments like this, but the same thing as the eval function can be done by doing, for example, the following:
Include source code temporarily in a text file

The eval function is not recommended, but is there no problem with the above processing?Or is it wrong for me to read code text as PHP code in the first place?

Of course, there are security challenges when you use it incorrectly, but I think the whole system is designed to take security into consideration.

It is necessary to read the code generated in the system due to the relationship such as template HTML, and we are looking for the best solution.If you have any comments, please let us know.

php

2022-09-30 11:35

1 Answers

I understand that "eval is dangerous no matter what" but "eval is dangerous because there is a risk of code injection etc."
For example, we believe that a fixed value (depending on the PHP code you specify) without variables in the event argument is basically safe.

Similarly, include is at risk of directory traversal or code injection as well.
If dynamic values are not used, there is no risk.
(If you specify it as a relative path, you should be careful if there are any extra files in the include path.)

Sanitizing (disabling special characters) is fine even if you specify dynamic values.
"I think many websites are saying ""eval is dangerous for now"" for beginners because they are concerned about the omission of processing in that case."

Loading code generated in the system

As for this process,
"Include modules that generate html codes and pass them in string variables"
If so, there is no problem, but

If the module generates and files html code and includes the file,
I think you will need to use variables for include, so you will need to consider sanitization.


2022-09-30 11:35

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.