tags:

views:

71

answers:

3
Q: 

is escaping eval variables safe enough?

Is escaping eval variables safe enough from security point of view. For e.g.

$path = "a";    //sample value; is generated dynamically
$var = "phpinfo()";     //sample attack value; is generated dynamically
eval("\$struct$path = \$var;");

this seems to be working safely to me. Although there seems to be no reason of using the code in the first place, now that it is in, it cannot be removed without a reason.

Is there any way (any value for $var or $path) that can break this eval or is it that i am simply worrying too much :-) and this is a safe case???

+2  A: 

It depends on where $path is coming from. This value breaks it:

=0;unlink('/important/file');//
Lekensteyn  2010-08-25 08:03:07
+1. excellent.. is there any case in which $var can break it?
pinaki  2010-08-25 08:26:30
Not in this eval, the $ is prefixed with a \. But if $structa should be a number (e.g. an ID for MySQL), and you're entering a string like `'`, then it will be broken on that.
Lekensteyn  2010-08-25 08:40:59
cool.. so i take it that this is a safe case of eval at work since it turned out $path is calculated and not from user inputs.. accepting urs as the correct answer... thanks
pinaki  2010-08-25 09:41:59
A: 

You could need eval to implement a plugin system with hooks... But you should never execute dynamic content with it (like phpinfo).

Josua Schmid  2010-08-25 08:10:33
A: 

I have no clue what your eval code is actually supposed to do. But if it's just about a dynamic varname how about something like that:

extract(array("\$struct$path", "\$var"));

Faster.

mario  2010-08-25 08:46:35

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases