Is whether it should use, but

yingxuy — Tue, 10 Jan 2012 05:46:54 +0000

Is whether it should use, but most programmers agree that, unless you are drawing data from a database or a trusted source, then you should not use it for debate.

BTW the additional is faster

avinmichal — Wed, 13 Jul 2011 21:28:00 +0000

BTW the additional is faster because it avoids application eval. Eval is awfully bad for your code's speed. Especially if you intend on accomplishing it abounding times. Instead use the constant() method.

JeevesBond — Wed, 04 Jan 2006 21:53:34 +0000

Ah, thanks for that dk01!

Luckily most of the eval stuff in vB is pulled from a database, but in that exploit it seems that a get variable is being eval'd ... Very dangerous, they're a bit silly to allow that to happen!

Haven't had to use eval in JavaScript yet, will make a note to avoid it like the plague.

dk01 — Tue, 03 Jan 2006 23:08:49 +0000

I stand corrected. eval() in php is not inefficient but it is a security risk. There is debate over whether it should be used at all but most programmers agree that unless you are drawing the data from a database or trusted source then you should not use it. The reason is that it can execute arbitrary code. So for example if you have register globals on then this could be dangerous. So.. for some references. You mentioned vBulletin? Here is an exploit for that project caused by the fact that it uses eval:
http://www.osvdb.org/14047

Another few articles on the subject: http://www.sitepoint.com/blogs/2005/02/27/eval-is-dead-long-live-eval/
http://www.phpwact.org/security/functions/eval_functions?DokuWiki=064b51a8941c7b29c4e07fd16ce1...

I found this interesting because I know in javascript eval will actually make your code slower. (Try having several large eval's running in js, its notably slower)

JeevesBond — Tue, 03 Jan 2006 20:27:55 +0000

dk01 wrote: Eval is notoriously bad for your code's speed. Especially if you intend on doing it many times. Instead use the constant() method.

I know this is off-topic, but vBulletin (the forum software we use) uses eval all the time, does constant() perform the same functionality (parse code in a variable)?

Could you substantiate that dk01? Do you know of someone who's tested the function, maybe you could provide links? Thanks.

dk01 — Mon, 02 Jan 2006 17:32:23 +0000

*happy new years to you too!*

thanks

mizzy — Mon, 02 Jan 2006 16:24:46 +0000

Thanks all...very helpful. I have actually completed the code today...thanks to you. HAPPY NEW YEAR !!

dk01 — Mon, 02 Jan 2006 09:09:16 +0000

BTW the second is faster because it avoids using eval. Eval is notoriously bad for your code's speed. Especially if you intend on doing it many times. Instead use the constant() method.

dk01 — Mon, 02 Jan 2006 09:07:54 +0000

Greg K wrote:
<?php define(\"ECOSETUP\",10); define(\"TMPSETUP\",20); $name1 = \"ECO\"; $name2 = \"TMP\"; eval(\"\$val1 = \" . $name1 . \"SETUP;\"); $val2 = constant($name2 . \"SETUP\"); echo \"val1 = $val1 \n\"; echo \"val2 = $val2 \n\"; ?>

Either one of those seems to work, the second method seems to use a function designed for this. I found the second method in the link that dk01 provided.

-Greg

PS. Don't forget to make sure you have checking in place to make sure it is only calling defined constants.

Nice find!

Greg K — Mon, 02 Jan 2006 06:23:27 +0000

<?php
    define(\"ECOSETUP\",10);
 define(\"TMPSETUP\",20);
      
 $name1 = \"ECO\";
 $name2 = \"TMP\";
      
 eval(\"\$val1 = \" . $name1 . \"SETUP;\");
 $val2 = constant($name2 . \"SETUP\");
      
 echo \"val1 = $val1 \n\";
 echo \"val2 = $val2 \n\";
?>

Either one of those seems to work, the second method seems to use a function designed for this. I found the second method in the link that dk01 provided.

-Greg

PS. Don't forget to make sure you have checking in place to make sure it is only calling defined constants.