When is eval evil in php?

by

I would be cautious in calling eval() pure evil. Dynamic evaluation is a powerful tool and can sometimes be a life saver. With eval() one can work around shortcomings of PHP (see below).

The main problems with eval() are:

  • Potential unsafe input. Passing an untrusted parameter is a way to fail. It is often not a trivial task to make sure that a parameter (or part of it) is fully trusted.
  • Trickiness. Using eval() makes code clever, therefore more difficult to follow. To quote Brian Kernighan “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it

The main problem with actual use of eval() is only one:

  • Inexperienced developers who use it without enough consideration.

As a rule of thumb I tend to follow this:

  1. Sometimes eval() is the only/the right solution.
  2. For most cases one should try something else.
  3. If unsure, goto 2.
  4. Else, be very, very careful.

More Related Contents:

  1. calculate math expression from a string using eval
  2. How to mathematically evaluate a string like “2-1” to produce “1”?
  3. How to evaluate formula passed as string in PHP?
  4. instantiate a class from a variable in PHP?
  5. When (if ever) is eval NOT evil?
  6. Process mathematical equations in php
  7. Execute PHP code in a string [duplicate]
  8. Dirt-simple PHP templates… can this work without `eval`?
  9. Removing eval from PHP function [closed]
  10. Route to image in Laravel [closed]
  11. Why am I Facing with this problem when run symfony? [closed]
  12. PHP “php://input” vs $_POST
  13. How can I find where I will be redirected using cURL in PHP?
  14. mysqli_stmt::bind_result(): Number of bind variables doesn’t match number of fields in prepared statement
  15. Is there a “nullsafe operator” in PHP?
  16. What is the best method to merge two PHP objects?
  17. Yosemite / El Capitan php-gd + mcrypt installation
  18. Access query string values from Laravel
  19. How to run PHP exec() as root?
  20. How to create a custom admin page in opencart?
  21. How to convert PascalCase to snake_case?
  22. php:: how long to tmp files stay?
  23. Pushnotification Server side Implementation
  24. Is it possible to protect from downloading a video from a site
  25. How to bind LIKE values using the PDO extension?
  26. How to prevent the cron job execution, if it is already running
  27. PHP – Convert File system path to URL
  28. getting the full url including the query string after hash
  29. PDO Unbuffered queries
  30. “PHP Fatal error: Class ‘HttpRequest’ not found”

Leave a Comment