jcuenod jcuenod - 4 months ago 21
PHP Question

Is "return eval" evil?

Given the statement

$someValue = eval("return \$$userSetting;");


How could
$userSetting
be dangerous? It seems the worst it could do is expose variables but that is actually what it's supposed to be doing in this code. Is there some way to execute arbitrary code with PHP's variable variables?

Answer

You can easily invoke an arbitrary function (to be more precise - an arbitrary expression) there:

$userSetting = 'userSetting && print(123)';

This would work in all (?) php versions.

With php7 it becomes even more convenient since you can call an anonymous function in-place:

$userSetting = 'userSetting && (function() { do whatever you want })();';