Php why is eval bad

All I was able to find were things like "execution of malicious code", "abusive injections" etc. No examples, and no detailed explanations on why is this such a bad practice. When is eval evil in PHP? When if ever is eval NOT evil? But you shouldn't need to use eval.

Developers really should act as if eval doesn't exist. And you should have a plan to move onto PHP 7 before 5. The core of its use was that you could run it on an array of data, and its key-value pairs would become living variables in your code. But all uses of it have the problem of confusing future readers. Creating an array and calling extract is more confusing than just declaring your variables.

This still has the confusion problem, but it gets rid of the possibility that your preset values can be changed by a malicious outsider via a simple query string or web form modification. And for good reason. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

This includes, obviously, connecting to the database, deleting files, and just about anything else someone can do when SSHed into a machine. This is bad. Better still, only allow a small number of specific parameter changes, like only validated integers.

There are, in addition to the well-known eval , a variety of other ways that PHP has historically supported strings-evaluated-as code. PHP 5. That can look like:. This is now deprecated in PHP 7.

You can just create your own anonymous function without using strings as intermediaries. This is both more secure and more readable, at least to my eyes. More likely in this case you'll just crash, and your string will terminate with a gratuitously obscure error message.

IMHO, all code should fail as neatly as possible, failing which it should throw an exception as the most handleable form of error. I'd suggest that, in this example, you're coding by coincidence rather than coding to behaviour.

Yes, the SQL enum statement and are you sure that field's enum? Did it actually answer? Which is roughly what your option one does, but I'd wrap some if's and comments around it for clarity and safety eg, if the first match doesn't match, throw exception or set null result.

There are still some possible issues with escaped commas or quotes, and you should probably unpack the data then de-quote it, but it does at least treat data as data, rather than as code. It can be quite tricky to make sure user input is properly cleaned out before handing it to eval. There are other problems It's bad programming that makes eval evil, not the function.

I use it sometimes, as I can not get around it in dynamic programming on multiple sites. I would just receive a result! I'm happy a function as eval exists, as it makes my life much more easy. Only bad programmers get hooked up by hackers. I don't worry about that. In all honesty, there is absolutely no good use for an exorbitant function such as eval, in an interpreted language such as PHP. I have never seen eval perform program functions which could not have been executed using other, safer ways Eval is the root of all evil, I wholeheartedly agree, to all people that think that testing user input will help.

Think twice, user input can come in many different forms, and as we speak hackers are exploiting that function you didn't care enough about.

In my opinion, just avoid eval altogether. I have seen crafted examples to abuse the eval function that surpassed my own creativity. Add a comment. Jonah Jonah 9, 5 5 gold badges 40 40 silver badges 77 77 bronze badges.

Fragsworth Fragsworth Abdullah Jibaly Abdullah Jibaly The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta. Now live: A fully responsive profile. Linked Related Hot Network Questions.

Stack Overflow works best with JavaScript enabled. Accept all cookies Customize settings.