Comments on: Using Eval in PHP

By: sharpskater69

sharpskater69 — Thu, 19 Jun 2008 19:24:06 +0000

good. consider using /\W/, much easier in your example. good though.

By: PHP security | TheStruggle

PHP security | TheStruggle — Fri, 22 Feb 2008 14:22:40 +0000

[...] dangerous. If you have to then make sure you check the content of the string before you use it. Try this for more [...]

By: Stefan Braunewell

Stefan Braunewell — Mon, 13 Feb 2006 15:17:29 +0000

Eval is not inherently slow, it just has a small constant run-time every time it’s called. To assess the speed of eval() php parsing itself, you can put the for-loop inside the eval function. Results:

Eval: 1000000 times took 8.4494090080261
Same code not eval: 1000000 times took 0.83726000785828
Loop in eval took 1.0076489448547

You can see: executing code in eval is not the problem - envoking it so many times is.

By: Joshua Eichorn

Joshua Eichorn — Mon, 21 Nov 2005 15:16:48 +0000

Jorge:
In a situation like that is no great way to garentee security. What you’ll want to do is remove the runtime eval by just writing the new code to files (helps performance too) and then focus on making sure that only the admin can write new code.

By: Jorge

Jorge — Mon, 21 Nov 2005 09:43:56 +0000

Hello, its a very interesting article. I am building a cms and considered eval to allow the cms admin to write modules on the fly using php and eval. I know that eval is quite dangerous and that’s why I’m lookig for information about coding it safely. What do you think about it? Should I try something different? Do you think it is possible to make it safely anyway?

Jorge

By: Joshua Eichorn

Joshua Eichorn — Thu, 11 Aug 2005 15:59:51 +0000

Hayley thanks for the catch, that was just flipping things around, I say whitelist in the next sentence as well. Also it I think your second comment got cut off, what returns the list of characters.

Also you can limit things however you want, its really just a matter of keeping out anything that will cause a security problem and meeting the needs of your situation.

By: Hayley Watson

Hayley Watson — Thu, 11 Aug 2005 14:10:36 +0000

Returns a list of all (uppercase) characters that are allowed to start function names. It is surprisingly extensive, but do you have to allow ALL of them in function names you create at runtime?

Adapting it to find legal subsequent characters is straightforward. The only glitch you might experience is with _(), if you have the gettext extension installed.

By: Hayley Watson

Hayley Watson — Thu, 11 Aug 2005 13:51:43 +0000

“its always easier to make a blacklist rather then a white list.”
Haven’t you got those back to front? A whitelist (in this context) being the charaters that ARE allowed in a function name, and a blacklist being the ones that are NOT. It’s easy enough to make a list of all the allowable characters (the whitelist), but the only reliable way of making the blacklist would be to start with a list containing every character and subtract the whitelist.

Whitelisting gives you a list of everything you allow, while blacklisting requires guessing every possible thing that you shouldn’t allow.

By: HotPHPPER News

HotPHPPER News — Sun, 07 Aug 2005 13:30:28 +0000

PHPのevalは遅い

フレームワークguessworkの開発者によるブログ「BMediaNode」にて
「Using Eval in PHP」の要約が書かれています。

PHPのeval関数はベタにコードを記述した場合に比べてPHP 4.3.10で10倍程度、PHP 5.1 bet

By: Joshua Eichorn

Joshua Eichorn — Tue, 02 Aug 2005 01:46:30 +0000

I belive the only option is call_user_func_array

Something like below seems to work:

class Test {
function blah(&$test) {
$test->blah = “blah was here”;
}
}

$i = new Test();

call_user_func_array(array(’Test’,'blah’),array(&$i));

var_dump($i->blah);